MozillaZine

Master password

From MozillaZine Knowledge Base

It takes only fifteen seconds for a prying user sitting at your computer to see the list of all the passwords you have told Firefox or Thunderbird to save. The list is shown plain as day. It can include webmail and forum passwords or email server passwords. Using a Master Password is highly recommended, to prevent such prying users from seeing the list. By setting a Master Password, anyone using your profile will be prompted to enter the master password when access to your stored passwords is needed.

It's also highly recommended to use a master password if you install S/MIME certificates.

A master password will not prevent others from reading locally stored e-mails, reading your browsing history, or from accessing sites the browser is already logged in to.

Contents

Using a master password

Using a master password is not selected by default; you will need to set one in the Password Manager, as explained below under Setting a master password. You can view using a master password as a way to authenticate who you are to the Software Security Device, just as you do with a server on a web site: you log into a web site and enter your credentials and you do the same if supplying the master password.

If you supply the Master Password in the popup window that you see if a master password is needed, then you log in to the Software Security Device (Firefox uses: "Tools -> Options -> Advanced -> Encryption: Certificates: Security Devices: Software Security Device"). If you select the Software Security Device then you notice an enabled "Log Out" button if you are logged on, otherwise the "Log In" button is enabled in that window. Access to the encrypted names and passwords is possible as long as you are logged on to the Software Security Device and you need to log out to prevent others from accessing that data if you leave your computer unattended. "Tools > Clear Private Data : Authenticated sessions" does the same, but also additionally will log you out of secure web sites. You may need to clear the cookies to log out of other sites.

Setting a master password

  • Firefox: "Tools -> Options -> Security / Passwords -> Use a master password"
  • Thunderbird: "Tools -> Options -> Privacy -> Passwords -> Set Master Password"
  • Mozilla Suite/SeaMonkey: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Change Password"

Make sure that you are able to remember or otherwise retrieve the master password you choose. For security reasons, you will need to supply your current master password before you can change or remove it.

Changing your master password

  • Firefox: "Tools -> Options -> Security / Passwords -> Change Master Password"
  • Thunderbird: "Tools -> Options -> Privacy -> Passwords -> Change Master Password" (not shown unless a master password is set)
  • Mozilla Suite/SeaMonkey: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Change Password"

Removing your master password

  • Firefox: "Tools -> Options -> Security / Passwords -> Uncheck "Use a master password". You will be prompted for your Master Password.
  • Thunderbird: "Tools -> Options -> Security -> Passwords -> Change Master Password"

Resetting the master password

If you have lost or forgotten your master password or you want to disable the feature, you can reset the master password. Resetting the master password will remove all stored password information. Upon resetting, you will lose all the stored information in the Password Manager, as this is a built-in security feature to prevent people from simply resetting your Master Password to gain access to your passwords.

  • Firefox: Enter chrome://pippki/content/resetpassword.xul into the Location Bar (address bar), press the "Enter" key and click "Reset".
  • Thunderbird: Choose Tools -> Error Console, paste the expression: openDialog("chrome://pippki/content/resetpassword.xul") and press the Evaluate button. That will open a dialog asking you if you want to reset your password.
  • Mozilla Suite/SeaMonkey: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Reset Password".

Asked for a master password despite never setting one

Firefox

Sometimes when you install Firefox and import passwords from a Mozilla Suite or SeaMonkey profile that causes Firefox to think you set a master password even though you never created one. [1]. If this happens, reset the master password as explained above.

If that doesn't work exit Firefox and delete the encryption keys (key3.db), the saved names and passwords (signons.sqlite and any possible leftover files signons#.txt from previous Firefox versions) in your profile. If that doesn't work see Password_Manager#Troubleshooting.

Thunderbird

There is a known bug that sometimes occurs when updating from 2.0.0.24 to Thunderbird 3.* that causes Thunderbird to think you set a master password even though you never created one. If this happens, try resetting the master password as explained above. If that doesn't work exit Thunderbird and delete the key3.db file in your profile.

External links