Why Master Password preference it's not synced on all firefox devices?
Hi. I'm using firefox developer edition after migration from google chrome.
I see that adding a new device sync all correctly, but the master password for the wallet result as inactive, it's not this an insecure situation?
If I set master password for the "password" wallet on the device 1 and the new device 2 sync the data, it will ask to the new user the master password to unlock and use it, instead to be opened without any lock.
Also..which kind of encryption protection method it use? I mean.. it's really secure to store in it credit cards.. etc?
Thank you.
All Replies (3)
The Primary/Master Password works locally and each (desktop) device can have its own primary password, so it is your responsibility to set this primary password on each device (mobile devices do not use the primary password). The PP is never synced to other devices because data on Sync server is encrypted locally using a key derived from the password of the Sync account before it is uploaded.
Ok. This mean that the data it's decrypted when the user perform the login in the firefox account and it's not encrypted in the remote server using the master password like the majority of the passwords manager?
On the remote server is all data encrypted with the password of the Firefox Account you use for Sync. This means that you first need to unlock the passwords by entering the primary password to make it possible to re-encode these logins. This way all login data on the Sync server is encrypted and not only username and password like is done locally, but also data like the URL (website) that is normally not encrypted to make it possible to check if there is a login stored and when found prompt to enter the primary password. So, the primary password works locally and each device has its own primary password and data on the Sync server is encrypted with a different password (password used for the Sync account). The password for the Sync account is stored in Lockwise as a hidden entry, i.e. it is not visible in Lockwise, but it is stored in logins.json.