From MozillaZine Knowledge Base
The Password Manager can be used to automatically fill in the username/password needed to access web sites and log into mail servers. However, it stores the passwords unencrypted in a database file in the profile. The passwords can be easily viewed using Firefox or Thunderbird menu commands. If you step away from your PC for a moment it only takes about 15 seconds for somebody else to see your passwords. Its recommended that you set a master password if anybody else has physical access to your PC. If you do that the passwords will be stored encrypted, and anyone using your profile will be prompted to enter the master password when access to the stored passwords is needed. Its also a good idea if you installed S/MIME certificates.
However, a master password will not prevent anybody else from reading locally stored e-mails, reading your browsing history, or from accessing sites the browser is already logged in to. Alternatives to the built-in Password Manager such as Keepass or Lastpass provide their own implementation of a master password.
If you decide to set a master password write down a copy of your passwords somewhere safe beforehand. Its usually trouble free, but if you run into a problem with the master password frequently the only workaround is to delete it, which will delete the stored passwords.
Using a master password
Using a master password is not selected by default; you will need to set one in the Password Manager, as explained below under Setting a master password. You can view using a master password as a way to authenticate who you are to the Software Security Device, just as you do with a server on a web site: you log into a web site and enter your credentials and you do the same if supplying the master password.
If you supply the Master Password in the popup window that you see if a master password is needed, then you log in to the Software Security Device (Firefox uses: "Tools -> Options -> Advanced -> Encryption: Certificates: Security Devices: Software Security Device"). If you select the Software Security Device then you notice an enabled "Log Out" button if you are logged on, otherwise the "Log In" button is enabled in that window. Access to the encrypted names and passwords is possible as long as you are logged on to the Software Security Device and you need to log out to prevent others from accessing that data if you leave your computer unattended. "Tools > Clear Private Data : Authenticated sessions" does the same, but also additionally will log you out of secure web sites. You may need to clear the cookies to log out of other sites.
Setting a master password
Make sure that you are able to remember or otherwise retrieve the master password you choose. For security reasons, you will need to supply your current master password before you can change or remove it.
Changing your master password
Removing your master password
Resetting the master password
If you have lost or forgotten your master password or you want to disable the feature, you can reset the master password. Resetting the master password will remove all stored password information. Upon resetting, you will lose all the stored information in the Password Manager, as this is a built-in security feature to prevent people from simply resetting your Master Password to gain access to your passwords.
Asked for a master password despite never setting one
Sometimes when you install Firefox and import passwords from a Mozilla Suite or SeaMonkey profile that causes Firefox to think you set a master password even though you never created one. . If this happens, reset the master password as explained above.
If that doesn't work exit Firefox and delete the encryption keys (key3.db), the saved names and passwords (logins.json and any signons*.* files that might have been created by previous Firefox versions) in your profile. If that doesn't work see Password_Manager#Troubleshooting.
There is a known bug that sometimes occurs when updating from 184.108.40.206 to Thunderbird 3.* that causes Thunderbird to think you set a master password even though you never created one. If this happens, try resetting the master password as explained above. If that doesn't work exit Thunderbird and delete the key3.db file in your profile.