ENTRIES
Welcome to Eric Cheng's online journal! You are not logged in. [ Log in ]
«  :: index ::  »

Warning: Firefox stores passwords in plain text

:: Tuesday, May 4th, 2010 @ 10:32:24 am

:: Tags: ,

This is an security problem that has been rehashed numerous times, but I’ve found that none of my friends seem to know that it is an issue. Note that if you’re someone who keeps all of your passwords on a sticky attached to your monitor, you probably won’t care about any of this.

I love Firefox and rely on it heavily, but one thing that has always bothered me is that its password manager stores passwords in plain text and by default, allows anyone at your computer to see them. You can see this for yourself, and if you’re like me, it will probably freak you out to actually see your password written out.

In Firefox, go to Preferences->Security:

Click on Saved Passwords, and then Show Passwords. Firefox will ask you if you’re sure. Click Yes, because that’s what someone snooping around on your machine would do.

Surprise! All of your passwords are there, in plain text.

Note that Firefox does offer a “Use a master password” option in its security dialog. This does prevent the casual snooper from seeing your passwords, but it also prompts you for a password every time a webpage wants to auto-fill a password field once per session. In my world, that happens 20-30 times a day (if not more). Unacceptable. [Corrected: John Lilly wrote me to let me know that Firefox only asks once per session. This behavior is totally usable, but there are still some issues. When I launched Firefox with more than one tab open, it prompted me once for each tab.]

Solutions:

  1. Uncheck Remember passwords for sites and use 1Password. I swear by 1Password, and everyone I’ve demoed it for starts to use it.

  2. Switch to Safari, Chrome, or Camino, all of which use Mac OS X’s Keychain to store passwords securely.

I’m going to stick to Firefox — for now — but it is a huge convenience FAIL that I have to turn off the feature to save passwords. As more plugins start to appear in Chrome, I’m more and more tempted to Switch; this security issue is the number 1 reason.

| San Francisco, CA | link | May 4, 2010 10:32:24
  • http://www.below-surface.com Tobias

    Hi Eric,

    one comment: Firefox only asks one time for the master password when it starts. After that you can surf on various sites with auto-filled-in passwords. Only when you end the complete Firefox task (i.e. with cmd+Q for Macs) it will ask you again when you restart the browser.

    Hope this helps.

    Regards,
    Tobias

  • http://echeng.com/ Eric Cheng

    Yeah — I updated the text to state that. The last time I used master password, it didn't do that, and on my copy here it still asks you once for each tab (if you start Firefox with a bunch of tabs open).

  • anthplummer

    I just checked Chrome (4.1.249.1064) and it appears to do the same thing. Passwords are plain text and accessible. Haven't got Safari here to try it out…

  • http://echeng.com/ Eric Cheng

    On a Mac, Chrome uses the Mac OS X keychain to store passwords.

  • anthplummer

    Thanks Eric. Good to know passwords are slightly safer on my mac at home then. Just the work PC I have to worry about.

  • Pedro

    This is why I use Sticky Password manager. It saves my passwords into encrypted database.

    http://www.stickypassword.com

  • mbraden

    I've been averse to any saved-passwords function, so have not used these. Reading your note, it reinforces to me that I don't want to use these functions (and it might keep my mind active into old age…).

  • mbraden

    I've been averse to using saved-password functions, your note reinforces my bias. Sometimes I've got to use password-recovery functions for an account, but I guess this habit keeps my mind active, perhaps stave off old age (…snicker…).
    –markb

  • jessitodden

    oh damn!

  • LDA

    Displaying passwords is an orthogonal issue to storing them in plain text. Apple's Keychain tool lets you view saved passwords as well…

  • http://echeng.com/ Eric Cheng

    That is true. I suppose I am just worried that they are stored within Mozilla and are visible by default. A big deal should be made to the user about the potential security issue. Also, storing the passwords within Mozilla means that a security breach at the browser level might result in password theft.


    Sent from mobile device. Apologies for brevity and/or typos.

  • ed

    I actually like it that they are stored in plain text. HAs saved my ass many times when i forgot a password and wanted to use it on a different computer

  • not quite so paranoid

    Thanks a lot for this. Probably not for the reason you anticipated.. I’ve now been able to recover several passwords for spur-of-the-moment accounts that I needed to re-use.

    Very handy! :)

    Real accounts, of course, I don’t let Firefox even store the password!

ARCHIVES
Journal Home
Where is Eric? (password)
Stuff for Sale
February 2014 (2)
December 2013 (1)
October 2013 (1)
June 2013 (3)
May 2013 (2)
April 2013 (3)
March 2013 (1)
February 2013 (2)
January 2013 (3)
November 2012 (2)
October 2012 (3)
September 2012 (8)
August 2012 (8)
July 2012 (8)
June 2012 (8)
May 2012 (5)
April 2012 (8)
March 2012 (15)
February 2012 (7)
January 2012 (6)
December 2011 (8)
November 2011 (10)
October 2011 (12)
September 2011 (8)
August 2011 (14)
July 2011 (9)
June 2011 (9)
May 2011 (11)
April 2011 (11)
March 2011 (12)
February 2011 (23)
January 2011 (22)
December 2010 (16)
November 2010 (17)
October 2010 (26)
September 2010 (24)
August 2010 (24)
July 2010 (30)
June 2010 (26)
May 2010 (21)
April 2010 (26)
March 2010 (19)
February 2010 (17)
January 2010 (29)
December 2009 (21)
November 2009 (23)
October 2009 (32)
September 2009 (19)
August 2009 (34)
July 2009 (21)
June 2009 (30)
May 2009 (23)
April 2009 (18)
March 2009 (6)
February 2009 (25)
January 2009 (5)
December 2008 (6)
November 2008 (22)
October 2008 (27)
September 2008 (25)
August 2008 (34)
July 2008 (34)
June 2008 (32)
May 2008 (26)
April 2008 (15)
March 2008 (19)
February 2008 (31)
January 2008 (43)
December 2007 (33)
November 2007 (29)
October 2007 (29)
September 2007 (9)
August 2007 (19)
July 2007 (10)
June 2007 (17)
May 2007 (26)
April 2007 (38)
March 2007 (39)
February 2007 (13)
January 2007 (35)
December 2006 (35)
November 2006 (14)
October 2006 (6)
September 2006 (20)
August 2006 (24)
July 2006 (32)
June 2006 (17)
May 2006 (23)
April 2006 (16)
March 2006 (16)
February 2006 (26)
January 2006 (33)
December 2005 (17)
November 2005 (21)
October 2005 (18)
September 2005 (17)
August 2005 (5)
July 2005 (15)
June 2005 (20)
May 2005 (25)
April 2005 (7)
March 2005 (22)
February 2005 (20)
January 2005 (38)
December 2004 (6)
November 2004 (24)
October 2004 (16)
September 2004 (22)
August 2004 (12)
July 2004 (17)
June 2004 (15)
May 2004 (11)
April 2004 (35)
March 2004 (40)
February 2004 (29)
January 2004 (36)
December 2003 (20)
November 2003 (18)
October 2003 (10)
September 2003 (18)
August 2003 (10)
July 2003 (34)
June 2003 (12)
May 2003 (49)
April 2003 (42)
March 2003 (42)
February 2003 (15)
January 2003 (7)
December 2002 (17)
November 2002 (19)
October 2002 (24)
September 2002 (22)
August 2002 (20)
July 2002 (21)
June 2002 (14)
May 2002 (15)
April 2002 (11)
March 2002 (13)
February 2002 (20)
January 2002 (17)
December 2001 (16)
Even Older Journal
Travel Journals

CATEGORIES / TAGS
(25) (2) (1) (3) (1) (1) (1) (6) (2) (3) (11) (8) (3) (1) (1) (4) (2) (4) (2) (1) (6) (1) (1) (1) (6) (2) (1) (1) (1) (3) (1) (5) (1) (1) (23) (1) (1) (1) (1) (1) (14) (1) (10) (1) (1) (2) (1) (1) (1) (27) (6) (3) (2) (4) (4) (1) (1) (41) (11) (12) (4) (38) (1) (3) (2) (4) (1) (1) (1) (1) (2) (1) (1) (1) (1) (1) (10) (25) (8) (3) (2) (3) (2) (1) (5) (1) (1) (2) (1) (1) (14) (1) (5) (1) (1) (5) (43) (1) (1) (1) (3) (24) (1) (1) (1) (1) (5) (1) (4) (1) (1) (10) (1) (3) (1) (1) (1) (1) (6) (5) (1) (1) (1) (3) (1) (3) (1) (1) (1) (69) (4) (3) (7) (3) (1) (16) (6) (1) (29) (1) (7) (1) (4) (4) (4) (1) (1) (1) (1) (1) (1) (1) (10) (4) (4) (2) (1) (89) (14) (1) (2) (79) (2) (2) (1) (1) (1) (1) (1) (1) (3) (2) (3) (1) (1) (24) (3) (5) (4) (1) (2) (1)
MOST POPULAR
Most Popular Posts of All Time


Eric Cheng's RSS Journal Journal RSS
Eric Cheng's RSS Journal Comments RSS

proudly powered by wordpress
script exec time: 0.89s
i hate computers.