본 사이트는 여러분의 사용자 경험을 개선하기 위해 유지 보수를 진행하는 동안 기능이 제한됩니다. 도움말로 문제가 해결되지 않고 질문을 하고 싶다면 Twitter의 @FirefoxSupport 및 Reddit의 /r/firefox 채널을 활용하세요.

Mozilla 도움말 검색

고객 지원 사기를 피하세요. 저희는 여러분께 절대로 전화를 걸거나 문자를 보내거나 개인 정보를 공유하도록 요청하지 않습니다. "악용 사례 신고"옵션을 사용하여 의심스러운 활동을 신고해 주세요.

자세히 살펴보기

If I disable my master password and enable sync of my passwords, how are they encrypted? What is my encryption key?

  • 10 답장
  • 4 이 문제를 만남
  • 13 보기
  • 최종 답변자: cor-el

more options

In the new sync feature I can select passwords to be synced but then I need to disable my master password.

How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me.

I'm considering getting lastpass instead.

Regards, Daniel Hegner

In the new sync feature I can select passwords to be synced but then I need to disable my master password. How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me. I'm considering getting lastpass instead. Regards, Daniel Hegner

모든 댓글 (10)

more options

I am not sure we have fully documented this properly.

I will tag this question as escalate. That will bring it to the attention of the other contributors and the HelpDesk staff, but be aware it could be two or three days before HelpDesk staff get round to answering. Meanwhile see a previous post of mine that partly explains the situation and links to what documentation I can find.

more options

Hi da9l,

Thank you for escalating this John99. After reading the documentation of the blog post. The new sync encrypts the key with

https://github.com/mozilla/fxa-auth-s.../onepw-protocol

  • "On the server, code should get entropy from /dev/urandom via a function that uses it, like "crypto.randomBytes()" in node.js or "os.urandom()" in python."
  • " HKDF-based stream cipher is used to protect the contents of some requests."
  • options.payload = true is recommended

Right now the master password and sync password are not synced https://bugzilla.mozilla.org/show_bug.cgi?id=995268

This discussion is also taking place for more info see Brian Warner's blog post on the old and new sync

To address this https://bugzilla.mozilla.org/show_bug.cgi?id=973759, however it is in backlog so I recommend not syncing passwords for now unless you change the sync password often.

글쓴이 guigs 수정일시

more options

Thanks cor-el & guigs2

Interesting blog & Github articles. I look forward to the 2nd blog article.

more options

Well I now understand that my bookmarks and passwords are securly stored at the mozilla servers but my concern now is that they can no longer be stored securly when in rest at my devices if I want sync to work.

Making it impossible to sync passwords that has been encrypted by a master password breaks one of FF's top selling points IMHO.

My suggestion is that the sync password and the master password are merged into the one and same with the option to ask for it every time the user starts the browser.

That would enable secure storage of the passwords both in transit and at rest in each synced device and re-enable one of FF's top unique selling points IMHO.

Regards, Daniel Hegner

글쓴이 da9l 수정일시

more options
more options

I've looked through all the posts on this topic and none of them have explained why the new sync has required us to make our passwords insecure on our computers.

I'm sure someone must have decided this was good idea - please let the rest of us know why and what the logic was.

more options

Unfortunately the master password system and the sync of passwords are separate and incompatible systems.

The Master password System is relatively low security. There is a possibility that either the Master Password system or Sync may be modified at some future date to address this issue.

Possibly you may wish to investigate the use of some third party solution. Possibly the 'LastPass addon.

more options

The second blog; mentioned upthread; is now available

more options

Note that if you are connected to Sync that the data to connect to your Firefox Account is stored in the signedInUser.json file in the Firefox profile folder (if you disconnect then this data is removed).

Bug 970167 - disable password sync when master password is enabled Bug 909967 - Firefox Account Signed-in User module