Firefox may soon ask for the Windows Password to interact with saved passwords
Mozilla plans to introduce a change to the password management system of the organization's Firefox web browser on Windows that improves the security of the data.
Firefox users may save logins using native password management capabilities. Passwords may also be imported from other web browsers installed on the device Firefox is installed or run on, or my syncing data between Firefox instances.
The Firefox password manager, recently relaunched as Firefox Lockwise, will prompt users for the Windows password of the signed-in user account before certain interactions with passwords, e.g. the showing of passwords, is permitted; this will only happen if the Firefox user has not set a master password in the web browser.
Current versions of Firefox may be protected with a master password. Once set, and setup is completely optional, the master password is required to interact with password storage. Starting in Firefox 76, Firefox will protect passwords for accounts without master password. Since the default is off, many Firefox users will benefit from this security precaution.
Google has been using a similar system in its Chrome web browser. Unlike Firefox, Chrome does not support the setting of a master password.
Firefox will show a password or Pin prompt on Windows devices once the change lands. Firefox 76, Nightly, also has it implemented and users who are adventurous may take it for a test drive. Actions such as the request to reveal a password, to copy it, or to edit a password will spawn the prompt.
Note that this happens each time a request is made currently; it is unclear if Mozilla plans to implement a system that would request the password only once per session or once every y minutes to avoid user annoyance. Firefox will request the master password only once during a session and that system might be preferable to users who interact with passwords regularly.
You can follow the bug on Mozilla's bug tracking website. Firefox 76 is scheduled for a May 5, 2020 release.
Now You: do you use the built-in password manager of your browser or an external application/extension? (via Techdows)
I’m a Chromium user and I’ve disabled browser password saving. Afaik each and every Windows version has been cracked with ease.
I’m not that familiar with Firefox, but a compartmentalized version appears to be more secure.
Unless using cloud synchronization, whichever browser. I prefer writing mine on a Post-it.
Time to set a FF master password I think. Not sure I want Firefox or any installed 3rd party app requesting my windows user account password.
I agree with Trey. It makes little sense, even in the name of increased security, to exposed another key password [window’s logon] in any other context.
The result would be the same with less work if they just made the Firefox master password mandatory. But they chose instead to involve Windows or MacOS in the way users manage their Firefox passwords. But why ?
“It’s generally agreed among UX/Engineering/Product that we don’t want to further develop the existing master password functionality, as it’s a poor fit for current needs and our current direction in this area.”
No reason given why, but it’s confirmed that they do not like their own master password. Then here:
“The user may not have to type anything if they have biometrics setup or they may be able to just enter their Windows Hello PIN instead so maybe we could make this sound more convenient.”
Passing on the curious wording, it looks like they are following Microsoft and the gang in their push for biometric identification. If they were even half of what they pretend to be, Mozilla would educate on why biometric identification is a bad society choice for privacy, and would fight it, instead of helping this propagate when they have zero pressure to do so.
And more generally they wouldn’t delegate part of their password management to Microsoft or Apple. What’s the next step, letting them store and manage all the Firefox passwords themselves in the name of convenience or security, with the extra privacy disaster that they are known to be ? It’s dumb enough to store them in Firefox, no need to add to that.
I must add that this is worse than Firefox master password for another reason, too:
“In the current bug we dont change how the password are stored, we just use an api to ask him for his windows password: it s a bit cheating so the normal users feel more secure, and he is indeed more secure against normal people attacks, however in the a background : advanced user can still get the passwords.”
This is less secure than the master password for that reason. I suppose that with a master password it’s not possible even for an advanced user to get the passwords, because I suppose that they are stored encrypted. Here the Windows password will not be used to encrypt the passwords. This choice of not using the master password instead of the Windows one is *bad* for security, for almost no added convenience. Mozilla demonstrates once again a like-mindedness with and sympathy for the tech giants they should be fighting against.
An example of how unencrypted passwords stored in a standard place like in a browser can easily be abused by malware, and with no-one being safe from that, that “legit” flight simulator software company stole the Chrome passwords of their users to punish them when they used a pirated version of their software, and they even got away with it as far as I know:
And in a post-Snowden era, we should understand now that crowd immunity against mass surveillance requires not storing all clear text passwords in a standard place, better, not even storing them all encrypted in a standard place like a trustworthy password manager, even if one personally has “nothing to fear”. Those are convenience at the cost of security, those are *not* security software.
The Silicon Valley companies are also taking more and more liberty with our passwords, now that they have pushed us to trust them with them. They are being synced in their clouds, and even encrypted this is a convenience that comes with a security cost. There was also this story with Microsoft sharing wifi passwords a bit too easily. And now Firefox sends by default truncated hashes of the passwords to some online service, “for your security”. This is not going to end here. We should stop storing our passwords in such software.
This will be great, as I use Firefox and Lockwise at work.
I used to use both the Firefox password manager, and the one built-in to the Mac (called Keychain). However there are so many malicious cracks floating around online that finally I decided to create a simple encrypted method of my own (not a real program) for storing passwords. My theory is that it’s so unique and obscure that nobody is going to attempt a breach.
Also, for convenience, I’ve consciously set about memorizing as many of my main passphrases as possible. (This is possible because they’re composed of word snippets and numbers that are only meaningful to me.) This way I can (1) exercise my memory, and (2) still have my encrypted thingie to fall back on if I forget one of them.
So far it has worked great, less hassle than it sounds like.
In the “vault” optional features such as browsers, mailers, and cloud storage, I never store any kind of “unique important personal information” (for example, login password).
(Although thing of long ago, the online password manager “LastPass” has twice experienced the data breach, and iCloud also experienced the breach.)
From the lessons learned,
I use “KeePass Password Safe” that can be saved in Local.
For less important things, I also take advantage of the handy Bitwarden.
Surveillance Self-Defense | Tips, Tools and How-tos for Safer Online Communications
Best Password Managers & Security Tips | Restore Privacy
Password Managers | PrivacyTools
What? Trust a lowly web browser with **all** your passwords? Trust a lowly web browser with your local windows account password?
NEVER IN A HUNDRED YEARS. Do it the hard way: an application completely independant, enter your passwords by hand. Use a paper list if you have to but never trust your web browser!
You want security or no security?
This is a really bad idea. Really, really bad idea. Somebody, somehow will exploit this, get Windows administrator password then use it for the first official Malware/Ransomware/Younameit Festival on your PC.
AFAIK it’s better than storing totally unencrypted as what we have now, though it’s wise not to trust MS.
Hope someday there will be integration of libsecret in Linux as well, which makes everyone happy without compromise.
Look at my recent comment here, I think that even with the Windows password the Firefox passwords are still stored unencrypted, unlike if they had used their own master password instead. This makes this change an even worse joke.
If a browser asks for my computer/account password, I will immediately uninstall it and never bother with it again. Even if it’s my favorite browser.
That’s just unacceptable. What will the browser want next? A scan of my ID, my autobiography and my blood type?
How do I opt-out of this crap?
Uninstall Mozilla Firesux and install a modern, better browser.
Hypothetically speaking this is a bad move security wise, Does anyone want the browser or ANY app installed on their device(s) to be able to do anything based on their Windows login password?
If the browser security is compromised on some crafted website, now the hackers also know the your Device login and all your logins to all the saved websites..
Browser do not know your real password and typed password. It just asks OS to do auth procedure. OS requests password and cheks it. You can see a modal Windows auth dialogue in screenshots.
Martin, you should explain such points in the article…
“Please note that Lockwise does not work if a master password is set currently.”
Is this still the case or what? Will passwords sync from PC to android if a master password is set??
What Windows password? I’ve had Windows since 98SE and I have never used a password on my local Admin account. I always set up a second admin account which I do password protect but not the main account I use all the time. I have desktops (no laptops or tablets) in my home and no one else is here so no need for a Windows password. My computers run 24/7/365 with the hard drives always on so Windows is always booted…only the monitor breathes after a few minutes.
I use Basilisk password manager and also Waterfox and Fx 60.8 ESR’s ones with no master password. This inanity in Fx 76 is just another reason to remain at Fx 60.8 ESR and continue with Basilisk as my default browser.
I do the same. I know Basilisk is experimental and thus is a security risk, but I’m not worried. Security is overrated. In fact, I usually don’t even bother locking my apartment door, but when I do, I always leave the key under the doormat.
I have disabled Lockwise because of it’s extraordinary silly user interface. About the same sillyness as the windows 10 user interface for managing (too nice a word for that) default apps and file endings
oh thats gonna go over well on a domain setup.
i love how they didn’t make some huge notice before implementing this. I got LOCKED OUT of my computer because I tried to look up a password for another app and this “lockwise” wasn’t working properly. If I wanted my passwords to be password protected, i would have opted for the master password… I am about to leave firefox again and its a chore moving to a different browser.
How do I disable this behavior? I want to see the password, not enter another password to get what I need.
Time to switch to Edge?
I don’t want to have to use another password, especially my Windows password which I don’t want either, because I don’t need to use one as my computer is only for me, I don’t move it from my office and I don’t need another level of security while it is only on my desk. How do I disable this? I have a 7 page hand written list of passwords and I guess I’ll just keep using it and delete my firefox list…but I’ll have to learn how to do that!
Papa bless, finally a little safe without a need to use master password that was bothering and demanding to write it on every login.