Why I can see all my passwords without master-password with database synced with PC which have master-password turned on?
I'm using Firefox with Firefox Sync on different PC's and master password is set from very beginning when I first started to use Firefox.
Today I installed Firefox for Android, authorized in Firefox Sync, opened logins tab, pressed "Show password" button expecting input form for my master password and.. I saw my password. And all others.
The master password was never typed on the android's keyboard. Firefox was never installed on the phone before. How does this possible? Does Firefox store my master-password in web? It's very very wrong. Now anyone who steal my Sync account can see all my passwords even without master-password.
Wybrane rozwiązanie
Firefox for Android has no knowledge of the master password set up on your desktop Firefox. Pressing the show passwords button will display the passwords.
If you would like to use a master password in Firefox for Android you can set that up. Tap the 3 dot menu in the upper right, select settings, select privacy, select Use master password and then choose a password.
The passwords are encrypted before transmitting to the Mozilla Sync service using your Sync password. The only data Mozilla Sync has is fully encrypted and Mozilla or another party cannot decrypt it. When you sign into Sync the encrypted passwords are downloaded and decrypted locally.
If you want the fine details there is a ton of documentation at https://github.com/mozilla/fxa-auth-server#firefox-accounts-server follow the first several links for an in depth explanation of the service.
Przeczytaj tę odpowiedź w całym kontekście 👍 0Wszystkie odpowiedzi (4)
Master passwords are local to that device Firefox does not Sync master passwords.
If you use your master password as a password on another website or as your Firefox Sync password then that would explain why it was displayed.
kbrosnan said
Master passwords are local to that device Firefox does not Sync master passwords. If you use your master password as a password on another website or as your Firefox Sync password then that would explain why it was displayed.
I've been trying to say, that I saw all my passwords, not master password exactly.
Ok, if passwords encrypted with master password only locally, how do they stored on Sync servers? Raw or encrypted with any other password? With which exactly? How do they transferred? Where this decrypt-encrypt stuff is going on? Why it's needed? Why it can't be encrypted with only one password?
Wybrane rozwiązanie
Firefox for Android has no knowledge of the master password set up on your desktop Firefox. Pressing the show passwords button will display the passwords.
If you would like to use a master password in Firefox for Android you can set that up. Tap the 3 dot menu in the upper right, select settings, select privacy, select Use master password and then choose a password.
The passwords are encrypted before transmitting to the Mozilla Sync service using your Sync password. The only data Mozilla Sync has is fully encrypted and Mozilla or another party cannot decrypt it. When you sign into Sync the encrypted passwords are downloaded and decrypted locally.
If you want the fine details there is a ton of documentation at https://github.com/mozilla/fxa-auth-server#firefox-accounts-server follow the first several links for an in depth explanation of the service.
I also have this problem but did not expect my master password to migrate from my laptop to my phone via sync. I set up the master password on my Android phone only to find that when I reqeusted sight of a password, not only was I NOT ASKED for the master password, I was shown a full list of all of my passwords. I am so concerned about this that I am considering cancelling sync altogether so that my passwords are only kept on my main machine. NOTE - I am not blaming sync, this is clearly a problem solely with the master password in Firefox for Android.
Zmodyfikowany przez LindaM w dniu