Helping people with computers... one answer at a time.

Saving passwords for you is a convenient feature of most browsers. It's important to understand that with that convenience comes risk.

If I consider my computer to be physically secure, am I reasonably safe letting Firefox remember my passwords (without using a master password), or am I being incredibly stupid to do that? What if I do use a master password?

I certainly wouldn't say incredibly stupid at all. But it's definitely an additional risk, and one that needs to be understood.

But you're correct in considering physical security first. The problem is that people often assume they have more physical security than they actually do.

And master passwords? Well, they're nice, but they too have their limitations.

If you're at all wondering why this is even an issue, in Firefox do the following:

  • Click on the Tools menu
  • Click on the Options menu item
  • Click on the Security tab
  • Click on the Saved Passwords... button
  • Click on the Show Passwords button

Yes, the Show Passwords button.

Firefox showing me my passwords

A few clicks and all your passwords are visible.

While I've obscured my own information, that dialog shows a list of URLs, Usernames and Passwords as remembered in my copy of Firefox. All we had to do was walk up to the computer follow the simple instructions above to make all passwords clearly visible.

That should have you thinking very carefully about your security.

Anyone who can walk up to your computer can do that, and pretty darned quickly.

What can you do? There are several approaches.

  • Do nothing but rely on physical security. Depending on your circumstances, this may be a viable approach. The key is that you must be certain about your physical security. That means you know that you machine cannot be easily stolen, and that no one can simply walk up to it and access Firefox's remembered password list.

  • Clear the list and stop remembering passwords. This is actually what I recommend for laptop or portable computers. As an alternative, I use Roboform which allows me to store my password database where I choose, and I choose to store it on an encrypted TrueCrypt volume.

  • Use a master password. Firefox allows you to select a master password which is used to encrypt the stored passwords. In theory, without knowing the master password, you cannot access the stored passwords. Here's the problem: I was able to find at least one password cracking tool aimed specifically at the Firefox master password. If someone with malicious intent can steal your computer, or Firefox's encrypted files, they still have a reasonable chance of breaking through this security and gaining access to your stored passwords. As with any password, one key is to make it as strong as possible.

That last one concerns me slightly.

My take is simply this: it's like a padlock. It'll keep most people out. However, if someone who knows what they're doing comes along with a large enough crowbar or a bolt cutter it's possible that they could get it.

The real question is what should you do? Unfortunately, I can't answer that for you. It's a situation where you need to understand and balance the real risks that you face, the cost of a compromise, and the inconvenience.

I can throw out a few rules of thumb that I would use:

  • Never allow your passwords to be remembered on a portable computer - at least not without some additional level of much stronger security.

  • If you're ever uncertain, at a minimum throw a master password on the list. That's a fast and only moderately inconvenient way to keep out all but the most dedicated or knowledgeable hacker.

I'll also put it another way: even though its theft is unlikely, as a result of writing up this little thought exercise I've just cleared the list of remembered passwords on my home desktop and unchecked the option to remember for me. The cost of failure is simply too high should my machine ever be stolen or otherwise compromised.

I'm much more comfortable relying on Roboform and TrueCrypt.

Article C3961 - December 25, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

10 Comments
David
December 25, 2009 12:12 PM

I have my computer memorize my passwords for non-sensitive sites (blogs, newspapers). However, for stuff like my bank and Yahoo webmail I don't save those and type them every time.

Cyber_100
December 26, 2009 1:34 AM

Firefox uses the RC4 algorithm to encrypt the password file. Brute force attack using the known cracker will take years to crack if the master password is a long passphrase. After all, brute force can be used to attempt cracking even Roboform. So, in theory nothing is safe, but practically speaking the FF master password system is adequately secure.

Jason
December 29, 2009 8:28 AM

There is a nice Firefox addon called LastPass that will save your passwords for you. Everything is stored in the "cloud" and not on your machine. You just log into your LastPass account with a password of your choice and they take care of filling in usernames and passwords. As an added feature, LastPass also handles form filling and supports multiple profiles.

That's putting a lot of trust in that service and in "the cloud". Personally, I would not.
Leo
30-Dec-2009

Dan
December 29, 2009 8:36 AM

Don't forget the Quick Dial Syndrome. Not using your passwords all the time means you will forget them when you have to enter them manually again!

mona georgetti
December 29, 2009 11:50 AM

hello leo. thank you for the information. my next question is now do we burn things on the computer. i wish you a happy new year.

Greg McDonald
December 29, 2009 3:29 PM

Well, I feel motivated to do something more about password security... but I'm not sure what? Maybe get a small flash drive and install Roboform on it?

Ralph Cosh
December 30, 2009 6:31 PM

I keep passwords in an Excel file and password protect that file. They are always with me and I understand that this is very hard to crack and gain entry to the file.

rew
December 31, 2009 2:04 PM

amherst college says to lock your computer...will that make it safe?
xp/vista...windows-key+l or options+l....seems to me if you can lock it, a few folks know how
to unlock it and help themselves? tu for your
hard work...

I ended up writing a new article on this: Does locking my computer keep it safe?
Leo
01-Jan-2010

v w
January 4, 2010 8:57 PM

By having the browser remember one's password does not seem all that secure. I'm OK with typing in the password each and every time. However, when one uses a computer at work or in some public places, there is always the risk of key loggers being installed in the computers. So, which method would be better for privacy and security.

Use good security measures on your own computer, and don't visit sites where you need to enter your password on computers you can't trust.
Leo
05-Jan-2010

Will
March 9, 2010 8:29 PM

Leo,

You could enable FIPs encryption in Firefox. It is little known that FIPs is standard on Firefox and can be enabled under advanced options and under encryption devices. Cracking a master password with FIPs enabled and a salt is virtually impossible.

TrueCrypt can't be recommended as none of its encryption techniques has ever been verified since the creators are anonymous. Lately they have been deleting posts criticizing any faults in the program, which is disturbing.

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to http://askleo.com/ask to ask your question.