Timeline for Can my open Firefox Sync session be used to circumvent a Master Password?
Current License: CC BY-SA 4.0
8 events
| when toggle format | what | by | license | comment | |
|---|---|---|---|---|---|
| Apr 30, 2019 at 23:48 | comment | added | Andreas | Do you have a reference for that? Because storing the master password on disk sounds plain idiotic. | |
| Apr 30, 2019 at 20:40 | comment | added | Belle 'Sandon' Ling | The master password is stored within key4.db, once someone gets in, security is super weak. | |
| Apr 30, 2019 at 20:34 | comment | added | Andreas | Consider me confused. I've read from multiple sources that the master password is used to encrypt the password store on disk, e.g. kb.mozillazine.org/Master_password. Not sure what to make of this. | |
| Apr 30, 2019 at 19:41 | comment | added | Belle 'Sandon' Ling | @Andreas Unfortunately, it does not, if someone has access to your filesystem it is compressible. Luckily attackers can only remotely access your hard drive through Firefox sync, which requires a password to login. However, you can evade this by encrypting your hard drive with Windows BitLocker. | |
| Apr 30, 2019 at 19:37 | comment | added | Andreas | It'd be nice if you could clarify "The so-called 'master password' does not protect your passwords, it just blocks someone from grabbing it remotely". I was under the impression that the Master Password encrypts my passwords locally -- how does that not protect them when my hard drive ends up in the wrong hands? And in what way does that encryption block a remote attacker more than a local attacker (e.g. if someone stole my computer)? | |
| Apr 30, 2019 at 18:54 | comment | added | Belle 'Sandon' Ling | Yes sir, you got the correct idea. The "master password" just acts as a software blockade, but after this is past, security within the service is minimalist and legacy at best. | |
| Apr 30, 2019 at 18:44 | comment | added | Andreas | I found it a bit hard to understand "So if sync is active and working with a attacker, you are vulnerable to this" -- is that hypothetical, as in if the session were open (but it can't be unless you've already entered the Master Password)? "luckily the sync service requires a password" -- if I understand you correctly, you refer to a password that only exists within the store that is itself protected by the Master Password. Your link seems to have exactly what I was looking for: "When using Sync, your Firefox Accounts login is stored with your saved passwords in the password manager" | |
| Apr 30, 2019 at 18:06 | history | answered | Belle 'Sandon' Ling | CC BY-SA 4.0 |