From MozillaZine Knowledge Base
It takes only fifteen seconds for a prying user sitting at your computer to see the list of all the passwords you have told Firefox or Thunderbird to save. The list is shown plain as day. It can include webmail and forum passwords or email server passwords. Using a Master Password is highly recommended, to prevent such prying users from seeing the list. By setting a Master Password, anyone using your profile will be prompted to enter the master password when access to your stored passwords is needed.
It's also highly recommended to use a master password if you install S/MIME certificates.
A master password will not prevent others from reading locally stored e-mails, reading your browsing history, or from accessing sites the browser is already logged in to.
Using a master password
Using a master password is not selected by default; you will need to set one in the Password Manager, as explained below under Setting a master password. You can view using a master password as a way to authenticate who you are to the Software Security Device, just as you do with a server on a web site: you log into a web site and enter your credentials and you do the same if supplying the master password.
If you supply the Master Password in the popup window that you see if a master password is needed, then you log in to the Software Security Device (Firefox uses: "Tools -> Options -> Advanced -> Encryption: Certificates: Security Devices: Software Security Device"). If you select the Software Security Device then you notice an enabled "Log Out" button if you are logged on, otherwise the "Log In" button is enabled in that window. Access to the encrypted names and passwords is possible as long as you are logged on to the Software Security Device and you need to log out to prevent others from accessing that data if you leave your computer unattended. "Tools > Clear Private Data : Authenticated sessions" does the same, but also additionally will log you out of secure web sites. You may need to clear the cookies to log out of other sites.
Setting a master password
Make sure that you are able to remember or otherwise retrieve the master password you choose. For security reasons, you will need to supply your current master password before you can change or remove it.
Changing your master password
Removing your master password
Resetting the master password
If you have lost or forgotten your master password or you want to disable the feature, you can reset the master password. Resetting the master password will remove all stored password information. Upon resetting, you will lose all the stored information in the Password Manager, as this is a built-in security feature to prevent people from simply resetting your Master Password to gain access to your passwords.
Asked for a master password despite never setting one
Sometimes when you install Firefox and import passwords from a Mozilla Suite or SeaMonkey profile that causes Firefox to think you set a master password even though you never created one. . If this happens, reset the master password as explained above.
If that doesn't work exit Firefox and delete the encryption keys (key3.db), the saved names and passwords (signons.sqlite and any possible leftover files signons#.txt from previous Firefox versions) in your profile. If that doesn't work see Password_Manager#Troubleshooting.
There is a known bug that sometimes occurs when updating from 220.127.116.11 to Thunderbird 3.* that causes Thunderbird to think you set a master password even though you never created one. If this happens, try resetting the master password as explained above. If that doesn't work exit Thunderbird and delete the key3.db file in your profile.