We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

This site will have limited functionality while we undergo maintenance to improve your experience. If an article doesn't solve your issue and you want to ask a question, we have our support community waiting to help you at @FirefoxSupport on Twitter and/r/firefox on Reddit.

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

A small suggestion about the "MASTERE PASSWORD" and how it works.

  • 5 svar
  • 2 har dette problemet
  • 1 view
  • Siste svar av cor-el

more options

This is more me "thinking aloud" about the master password and how (I think) it works.

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

So, you set a master password, and all is good. Or is it?

Here's my concern:

You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.

You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.

But say you get some nasty software. It starts looking through your saved logins.

What is stopping it basically getting them all without your knowledge?

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed.

Thanks very much in advance.

This is more me "thinking aloud" about the master password and how (I think) it works. My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc. So, you set a master password, and all is good. Or is it? Here's my concern: You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved. You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario. But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge? My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested". I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed. Thanks very much in advance.

Valgt løsning

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

Les dette svaret i sammenhengen 👍 1

All Replies (5)

more options

Valgt løsning

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

more options

Thanks for clearing that confusion up.

Shall search for what you suggested and turn it off.

more options

I don't want to suggest we can get rid of the risk of passwords being scraped from web pages, but at least we can get rid of fake or hidden forms being filled automatically.

more options

Yes. Thanks. I did what you suggested and that shall allay most fears.

more options

On Linux this would normally not much of an issue.

Note that you can logout of the software security device (Password Manager) by canceling a master password prompt that you get when you want to view a password in Lockwise.