Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

what type of encryption is firefox using for password protection and how trustworthy is it

  • 5 replies
  • 11 have this problem
  • 2 views
  • Last reply by firefox1106

more options

I would like to know what kind of encryption FF uses and how I know I can trust it? This is not a bone of contention with FF, I love the product, rather it is just a concern I have that will convince me to let FF manage my financial passwords. Thanks for any assistance with understanding this issue more completely.

I would like to know what kind of encryption FF uses and how I know I can trust it? This is not a bone of contention with FF, I love the product, rather it is just a concern I have that will convince me to let FF manage my financial passwords. Thanks for any assistance with understanding this issue more completely.

All Replies (5)

more options

The degree of protection very much depends on how strong your master password is.

When using a master password, the data is encrypted using Triple DES Encryption in CBC mode. This level of encryption is good for general purpose use. The weak point it the master password, if you have a weak master password there are programs available that will be able to crack the master password, they often do this by using a brute force method. If you use a strong master password, the brute force method will need a very long time to crack passwords. For details on password strength and creating strong passwords see http://en.wikipedia.org/wiki/Password_strength and http://luxsci.com/blog/security-simplified-the-basesuffix-method-for-memorable-strong-passwords.html

more options

Thanks for the speedy response. This is what I needed to know. My passwords are obnoxious so it should be safe to use FF is what you are telling me. Thanks again.

more options

could I trust online banking password if I use a VERY STRONG FF MASTER PASSWORD. ? Now I am using Roboform but it is getting rather complicated with each new update.

Thank you

more options

You ask a difficult question but a good question. Don't feel you must take my word as gospel but here is my take on the issue of passwords. These are my own thoughts based on my previous experience with the software industry.

Keep in mind that software folks believe their systems are strong and unbreakable as a rule. My take is a bit more pessimistic. Others disagree with me strongly.

My answer to your question is that the Triple DES used by FireFox should be adequate if your password strength is very, very strong and you change your password on a regular basis to your most critical website access points such as banking, credit union, Amazon, or other on-line financial-like accounts.

Most of us do not make changes to our passwords regularly. Do you know how to create a strong password?

Here are a couple of references that were shared with me on how to do create a strong password. http://en.wikipedia.org/wiki/Password_strength http://luxsci.com/blog/security-simplified-the-basesuffix-method-for-memorable-strong-passwords.html

Note also that RSA recently reported a breach of their two token SecureID product which I consider the strongest available password solution in production. It is composed of a strong password coupled with the SecureID token which has an ever changing 6-digit number that is used in conjunction with the password to access the "system." This reported breach at Lockheed Martin was an "inside job" in my opinion but no one is really saying it was or anything else for that matter. I wish the RSA SecureID token was standard because it would essentially be unbreakable---except from the inside secure solution issue. Alas, this has not come to pass.

For personal safety reasons, I still prefer to create my own passwords that are not stored on my machine for my critical banking, savings, purchasing (Amazon-like sites) and health accounts only. I use FireFox's solution works for all other websites.

Hope this helps answer your question.

more options

Thank you very much , agree completely.I am sure all reading your suggestions and also applying it will be thankful feeling safer.