Join the AMA (Ask Me Anything) with the Firefox leadership team to celebrate Firefox 20th anniversary and discuss Firefox’s future on Mozilla Connect. Mark your calendar on Thursday, November 14, 18:00 - 20:00 UTC!

为提升您的使用体验,本站正在维护,部分功能暂时无法使用。如果本站文章无法解决您的问题,您想要向社区提问的话,请到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 提问,我们的支持社区将会很快回复您的疑问。

搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

If I disable my master password and enable sync of my passwords, how are they encrypted? What is my encryption key?

  • 10 个回答
  • 4 人有此问题
  • 13 次查看
  • 最后回复者为 cor-el

more options

In the new sync feature I can select passwords to be synced but then I need to disable my master password.

How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me.

I'm considering getting lastpass instead.

Regards, Daniel Hegner

In the new sync feature I can select passwords to be synced but then I need to disable my master password. How exactly are my passwords stored and encrypted when I sync them? I want to be in control of the encryption key that encrypts my passwords. I don't feel that the security solution for storing my passwords in the sync solution has been adequately explained to me. I'm considering getting lastpass instead. Regards, Daniel Hegner

所有回复 (10)

more options

I am not sure we have fully documented this properly.

I will tag this question as escalate. That will bring it to the attention of the other contributors and the HelpDesk staff, but be aware it could be two or three days before HelpDesk staff get round to answering. Meanwhile see a previous post of mine that partly explains the situation and links to what documentation I can find.

more options

Hi da9l,

Thank you for escalating this John99. After reading the documentation of the blog post. The new sync encrypts the key with

https://github.com/mozilla/fxa-auth-s.../onepw-protocol

  • "On the server, code should get entropy from /dev/urandom via a function that uses it, like "crypto.randomBytes()" in node.js or "os.urandom()" in python."
  • " HKDF-based stream cipher is used to protect the contents of some requests."
  • options.payload = true is recommended

Right now the master password and sync password are not synced https://bugzilla.mozilla.org/show_bug.cgi?id=995268

This discussion is also taking place for more info see Brian Warner's blog post on the old and new sync

To address this https://bugzilla.mozilla.org/show_bug.cgi?id=973759, however it is in backlog so I recommend not syncing passwords for now unless you change the sync password often.

由guigs于修改

more options
more options

Thanks cor-el & guigs2

Interesting blog & Github articles. I look forward to the 2nd blog article.

more options

Well I now understand that my bookmarks and passwords are securly stored at the mozilla servers but my concern now is that they can no longer be stored securly when in rest at my devices if I want sync to work.

Making it impossible to sync passwords that has been encrypted by a master password breaks one of FF's top selling points IMHO.

My suggestion is that the sync password and the master password are merged into the one and same with the option to ask for it every time the user starts the browser.

That would enable secure storage of the passwords both in transit and at rest in each synced device and re-enable one of FF's top unique selling points IMHO.

Regards, Daniel Hegner

由da9l于修改

more options
more options

I've looked through all the posts on this topic and none of them have explained why the new sync has required us to make our passwords insecure on our computers.

I'm sure someone must have decided this was good idea - please let the rest of us know why and what the logic was.

more options

Unfortunately the master password system and the sync of passwords are separate and incompatible systems.

The Master password System is relatively low security. There is a possibility that either the Master Password system or Sync may be modified at some future date to address this issue.

Possibly you may wish to investigate the use of some third party solution. Possibly the 'LastPass addon.

more options

The second blog; mentioned upthread; is now available

more options

Note that if you are connected to Sync that the data to connect to your Firefox Account is stored in the signedInUser.json file in the Firefox profile folder (if you disconnect then this data is removed).

Bug 970167 - disable password sync when master password is enabled Bug 909967 - Firefox Account Signed-in User module