為了改善您的使用體驗,本網站正在進行維護,部分功能暫時無法使用。若本站的文件無法解決您的問題,想要向社群發問的話,請到 Twitter 上的 @FirefoxSupport 或 Reddit 上的 /r/firefox 發問,我們的社群成員將很快會回覆您的疑問。

搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

A small suggestion about the "MASTERE PASSWORD" and how it works.

  • 5 回覆
  • 2 有這個問題
  • 1 次檢視
  • 最近回覆由 cor-el

more options

This is more me "thinking aloud" about the master password and how (I think) it works.

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

So, you set a master password, and all is good. Or is it?

Here's my concern:

You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.

You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.

But say you get some nasty software. It starts looking through your saved logins.

What is stopping it basically getting them all without your knowledge?

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed.

Thanks very much in advance.

This is more me "thinking aloud" about the master password and how (I think) it works. My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc. So, you set a master password, and all is good. Or is it? Here's my concern: You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved. You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario. But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge? My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested". I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed. Thanks very much in advance.

被選擇的解決方法

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

從原來的回覆中察看解決方案 👍 1

所有回覆 (5)

more options

選擇的解決方法

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

more options

Thanks for clearing that confusion up.

Shall search for what you suggested and turn it off.

more options

I don't want to suggest we can get rid of the risk of passwords being scraped from web pages, but at least we can get rid of fake or hidden forms being filled automatically.

more options

Yes. Thanks. I did what you suggested and that shall allay most fears.

more options

On Linux this would normally not much of an issue.

Note that you can logout of the software security device (Password Manager) by canceling a master password prompt that you get when you want to view a password in Lockwise.