A lot of geeks and developers out there are using Mozilla Firefox. It’s a fantastic browser, and I highly recommend it. Firefox has been a huge factor in the progress of web development. Where would we be without the Web Developer Toolbar and Firebug?
However, there’s one place you have to be careful using Firefox - password management. You know the little “Remember Password” button you click when you log in? Turns out Firefox doesn’t mind showing you the passwords you’ve saved, in plain text. It’s no secret - others have previously blogged about it - but it does bear repeating. This is the default behaviour, so if you haven’t already spotted this, then chances are it applies to you right now. That means someone unscrupulous can come along and read your passwords. Like this:
First, go into “Preferences” in Firefox (on a mac, hit Cmd-,) and head to the Security tab. Then click the Saved Passwords button as shown here:
This will bring up a Passwords window. I’m not showing you mine. But look for this button at the bottom right:
Press this button. Voila! All your passwords are shown, in plain text, on-screen. Please note, my password is not hunter2.
This means that someone can open up Firefox on your computer, and view all your saved passwords. The way to change this is to set a master password for Firefox. Close that passwords window, and go back to the Security preferences pane. There, you’ll see an option for “Use a master password”.
This means that Firefox protects all your saved passwords with a master password which is never shown. However, get used to seeing this prompt…
because it comes up ALL the time when you’re using password-authenticated sites. Personally, I use Webkit nightly builds for everyday browsing: they’re extremely fast and stable.
dinu
August 6th, 2008 at 10:41 am
#
what if I forget the master password ;)
Elliott
August 6th, 2008 at 10:46 am
#
@dinu: If you do, visit chrome://pippki/content/resetpassword.xul and click “OK” in the bottom-right corner. You’ll lose all your saved passwords though :)
Scott Purdie
August 6th, 2008 at 11:56 am
#
Thanks Elliott, I used a master password but I didnt realise people could have seen all my passwords if I didnt have that set up! Cheers
ceejayoz
August 6th, 2008 at 11:57 am
#
If only Firefox let me require the master password only for revealing my password list instead of every single time I want to use a saved one…
Joana Franco
August 6th, 2008 at 1:03 pm
#
Thanks man… this was a great tip and a major help!
Sam Brown
August 6th, 2008 at 1:24 pm
#
I’d be less worried that someone could see my password in plain view within the ‘Saved Passwords’ dialog of the Security tab in the Preferences pane of Firefox than them actually sitting at my computer with direct access to said “secure” website!!
I’ve never understood the need to save a password in the browser.
jfno
August 6th, 2008 at 1:47 pm
#
It doesn’t require the master password each and everytime you use one. It asks for it just once per instance run of FF.
@ceejayoz If it asked the master password to reveal the list, but not when you use them. Then the password would need to be stored in clear on your disk and would be pretty easy to retrieve.
James Pearson
August 6th, 2008 at 1:49 pm
#
Thanks for the top, just a quick note… to access preferences for Firefox 3 on Mac OSX Leopard its CMD, not CMD- (which is zoom out).
Elliott
August 6th, 2008 at 3:41 pm
#
@James: That says “CMD-,” which means the CMD key and the comma key :)
@Sam - good point! I guess saving passwords should be reserved for less-crucial sites.
gio
August 6th, 2008 at 3:53 pm
#
First time poster long time follower. Thanks for the great tip and taking the extra effort to put this post together. Keep up the good work!
Mark O'Neill
August 6th, 2008 at 4:36 pm
#
I also ran into this when I used “View Page Info” on a site with Firefox, and was surprised to see my passwords for that site shown to me. I’d imagine most users are naive about this. Firefox should really have a “Manage Passwords” button which is shown alongside those “Remember” and “Never for this site” buttons.
Peter Cooper
August 7th, 2008 at 6:24 am
#
because it comes up ALL the time when you’re using password-authenticated sites.
Seconding jfno above, it shouldn’t be coming up all the time. It typically appears once when your browser is freshly loaded. Perhaps you use Cmd+Q a lot instead of keeping your browser in memory all the time?
Luke Anderson
August 7th, 2008 at 7:42 pm
#
Elliot, whats your wallpaper - you know with the sky and tree? Good post btw!
Tyler Hayes
August 7th, 2008 at 7:47 pm
#
If you’re in an environment where you’re this concerned about someone sitting down at your computer and stealing your passwords there are a few things to consider:
1. It’s probably time to have a discussion with this person who you think will be stealing passwords.
2. If you don’t know the person and are just careless enough to leave your computer open, chances are the person who wants to steal your passwords knows a better way and can get around this system (I can think of plenty of apps and methods to steal passwords that are in fact more efficient and faster than this method).
What situation would this be useful in? This is like a prescription drug, it just cures the symptom. In reality, we should be trying to get people less reliant on their computer remembering their passwords and not writing them down on little sticky notes that are posted on their monitors.
Elliott
August 10th, 2008 at 10:46 pm
#
Hey @Luke, thanks for your comment - there’s actually two backgrounds shown there,
Elevation by coffeelover,
http://interfacelift.com/wallpaper_beta/details/1188/elevation.html
and Lazy Days li by boss019,
http://interfacelift.com/wallpaper_beta/details/1232/lazy_days_ii.html
Check out the other wallpapers InterfaceLIFT - I downloaded a whole bunch of their desktop backgrounds and set them to shuffle.
@Tyler - you’re absolutely right, password security is very important. However for less-important passwords, like forum log-in details, this method of remembering passwords comes in handy. People will use the feature because it’s readily available, so it’s best that they know what they’re using.
@Peter Cooper and @jfno, you’re right, thanks :)
Racheblue
September 2nd, 2008 at 5:47 pm
#
Hi there,
I stumbled here from there: http://www.smashingmagazine.com/2007/11/22/30-more-excellent-blog-designs/
If you unclick the Remember Passwords For Site box then no passwords will be saved. Isn’t this the easiest option???
Rache
Sulcalibur
September 11th, 2008 at 3:54 pm
#
Good call, people should know about this as some shifty person could look at someone elses passwords and notice a pattern for future abuse.
I’ve started using Lastpass now though.
Ref: https://addons.mozilla.org/en-US/firefox/addon/8542
So far it seems pretty damn decent.