Firefox Security Hole With Saved Passwords

[T_Dog]

Just ran into something about FireFox. If you go to "Preferences", "Security", and "Saved Passwords, you can see all the passwords that you may have saved into FireFox. I would have thought you would need to use the computer admin password to get to it but all my passwords can be easily viewed with just a few keystrokes. Not a problem as long as the MacBook is used only by me and doesn't get stolen, but if it does....... Ouch! I don't use a turn-on password but I think that is about to change..... This is a handy feature in case you forget a password, but maybe a little bit too handy.

[beano2274]

The password issue has always been on Mozilla Firefox, it also asks you if you want to save the passwords, so just click no.

[thaimite]

Adding a turn on password only adds a little bit of security.

Once a cracker has access to the hardware it is very easy to access the data. In this case, with a user locked system, all that would have to be done is to boot the system from a CD or USB drive, and then copy your Firefox profile to another computer.

To stop this happening you need to turn off the boot from CD option, on your machine, and then password protect the BIOS, but this again does not stop somebody removing the hard drive, and of course removing the battery from the PC will reset the BIOS password.

At the end of the day, if you have sensitive passwords, such as banking passwords do not store them on your PC unless they are in an encrypted file using a strong encryption, and even then assume they will only stop a cracker long enough for you to change the password.

[Xircal]

Use the option to create a Master Password. This encrypts all the other passwords you have stored on your machine so that they cannot be read by third party tools.

Edited December 18, 2010 by Xircal

[Xircal]

...password protect the BIOS, but this again does not stop somebody removing the hard drive, and of course removing the battery from the PC will reset the BIOS password.

Not always. My GF has a Sony Vaio notebook which includes the option to create a power on password. In the event of her forgetting the password, removing the battery will have no effect and necessitates a visit to an authorized Sony dealer to clear the password.

[thaimite]

...password protect the BIOS, but this again does not stop somebody removing the hard drive, and of course removing the battery from the PC will reset the BIOS password.

Not always. My GF has a Sony Vaio notebook which includes the option to create a power on password. In the event of her forgetting the password, removing the battery will have no effect and necessitates a visit to an authorized Sony dealer to clear the password.

Admittedly laptops are a little harder to disassemble, and it is not removing the main battery that will reset the BIOS, but usually a small watch style batter on the mainboard. The point being it is still easy for somebody who wants to go to the bother even if they just remove the disk and put it in a USB case or another machine if you have physical access to the machine getting data off it is easy unless it is encrypited.

[floridaguy]

Why don't you just add a Master Password for Firefox saved passwords? It can be as strong as you want, and then Firefox will not allow you to see the passwords without entering that in.