Master password: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
No edit summary
 
(72 intermediate revisions by 23 users not shown)
Line 1: Line 1:
A master password protects access to your stored passwords in your Password Manager. By setting a Master Password, a user will be prompted to enter the Master Password when access into the Password Manager's stored passwords is needed (not everytime, but as needed). For example, your webmail account login information is stored in the Password Manager (if your agree to the prompt that asks you about it). On Thunderbird and Mozilla Mail, it also protects your POP, IMAP, and SMTP server passwords. You will also need to setup a master password if you wish to install S/MIME certificates. A master password is set on a per-profile basis, so it is useful if you have many profiles on your machine or you share a machine with many profiles.
The [[Password_Manager | Password Manager]] can be used to automatically fill in the username/password needed to access web sites and log into mail servers. However, it stores the passwords unencrypted in a database file in the profile. The passwords can be easily viewed using Firefox or Thunderbird menu commands. If you step away from your PC for a moment it only takes about 15 seconds for somebody else to see your passwords. Its recommended that you set a master password if anybody else has physical access to your PC. If you do that the passwords will be stored encrypted, and anyone using your [[profile]] will be prompted to enter the master password when access to the stored passwords is needed. Its also a good idea if you installed [http://en.wikipedia.org/wiki/S/MIME S/MIME] certificates.


Note for Thunderbird and Mozilla Mail users: This will not prevent other users from reading any mail which is already stored in local folders, but it will prevent them from downloading new mail and sending mail from your accounts.
However, a master password will not prevent anybody else from reading locally stored e-mails, reading your browsing history, or from accessing sites the browser is already logged in to. Alternatives to the built-in Password Manager such as [http://keepass.info/ Keepass] or [https://lastpass.com/ Lastpass] provide their own implementation of a master password.  


==Setting a Master Password==
If you decide to set a master password write down a copy of your passwords somewhere safe beforehand. Its usually trouble free, but if you run into a problem with the master password frequently the only workaround is to delete it, which will delete the stored passwords.
* For Firefox: "Tools -> Options (Edit -> Preferences on Linux) -> Privacy -> Saved Passwords -> Set Master Password".
* For Thunderbird: "Tools -> Options (Edit -> Preferences on Linux) -> Advanced -> Saved Passwords -> Master Password -> Change Password".
* For Mozilla Suite: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Change Password".


Note: Enabling the Master Password feature will not protect any passwords that are already stored in the Password Manager. To remedy this, clear your current passwords:
==Using a master password==
* For Firefox: "Tools -> Options (Edit -> Preferences on Linux) -> Privacy -> Saved Passwords -> Clear".
Using a master password is not selected by default;  you will need to set one in the [[Password Manager]], as explained below under [[#Setting a master password|Setting a master password]]. You can view using a master password as a way to authenticate who you are to the ''Software Security Device'', just as you do with a server on a web site: you log into a web site and enter your credentials and you do the same if supplying the master password.
* For Thunderbird: "Tools -> Options (Edit -> Preferences on Linux) -> Advanced -> Saved Passwords -> View Saved Passwords -> Remove All".
* For Mozilla Suite: "Edit -> Preferences -> Privacy & Security -> Passwords -> Manage Stored Passwords -> Remove All".


==Reset a Master Password==
If you supply the ''Master Password'' in the popup window that you see if a master password is needed, then you log in to the ''Software Security Device'' (Firefox uses: "[[Menu differences in Windows, Linux, and Mac|Tools -> Options]] -> Advanced -> Encryption: Certificates: Security Devices: Software Security Device").  If you select the ''Software Security Device'' then you notice an enabled "Log Out" button if you are logged on, otherwise the "Log In" button is enabled in that window.
* For Firefox: go to "chrome://pippki/content/pref-masterpass.xul" (see [[Chrome URLs]]) and click on "Reset Passwords".
Access to the encrypted names and passwords is possible as long as you are logged on to the ''Software Security Device'' and you need to log out to prevent others from accessing that data if you leave your computer unattended. 
* For Thunderbird: "Tools -> Options (Edit -> Preferences on Linux) -> Advanced -> Saved Passwords -> Master Password -> Reset Password".
"Tools > Clear Private Data : Authenticated sessions" does the same, but also additionally will log you out of secure web sites. You may need to clear the [[cookies]] to log out of other sites.
* For Mozilla Suite: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Reset Password".
 
==Setting a master password==
* Firefox: "[[Menu differences in Windows, Linux, and Mac|Tools -> Options]] -> Security / Passwords -> Use a master password"
* Thunderbird: "[[Menu differences in Windows, Linux, and Mac|Tools -> Options]] -> Privacy -> Passwords -> Set Master Password"
* Mozilla Suite/SeaMonkey: "[[Menu differences in Windows, Linux, and Mac|Edit -> Preferences]] -> Privacy & Security -> Master Passwords -> Change Password"
 
Make sure that you are able to remember or otherwise retrieve the master password you choose.  For security reasons, you will need to supply your current master password before you can change or remove it. 
 
===Changing your master password===
*Firefox:  "Tools -> Options -> Security / Passwords -> Change Master Password"
*Thunderbird: "Tools -> Options -> Privacy ->  Passwords -> Change Master Password"  (not shown unless a master password is set)
*Mozilla Suite/SeaMonkey: "[[Menu differences in Windows, Linux, and Mac|Edit -> Preferences]] -> Privacy & Security -> Master Passwords -> Change Password"
 
===Removing your master password===
* Firefox: "[[Menu differences in Windows, Linux, and Mac|Tools -> Options]] -> Security / Passwords -> Uncheck "Use a master password". You will be prompted for your Master Password.
* Thunderbird: "Tools -> Options -> Security -> Passwords -> Change Master Password"
 
==Resetting the master password==
 
If you have lost or forgotten your master password or you want to disable the feature, you can reset the master password.  '''Resetting the master password will remove all stored password information.'''  Upon resetting, you will lose all the stored information in the Password Manager, as this is a built-in security feature to prevent people from simply resetting your Master Password to gain access to your passwords. 
 
* Firefox:  Enter <code>chrome://pippki/content/resetpassword.xul</code> into the Location Bar (address bar), press the "Enter" key and click "Reset".
* Thunderbird:  Choose Tools ->Developer Tools-> Error Console, paste the expression: <code>openDialog("chrome://pippki/content/resetpassword.xul")</code> and press the Evaluate button. That will open a dialog asking you if you want to reset your password.
* Mozilla Suite/SeaMonkey: "[[Menu differences in Windows, Linux, and Mac|Edit -> Preferences]] -> Privacy & Security -> Master Passwords -> Reset Password".
 
==Asked for a master password despite never setting one==
===Firefox===
Sometimes when you install Firefox and import passwords from a Mozilla Suite or SeaMonkey profile that causes Firefox to think you set a master password even though you never created one. [http://forums.mozillazine.org/viewtopic.php?t=110487]. If this happens, [[#Resetting the master password|reset the master password]] as explained above.
 
If that doesn't work exit Firefox and delete the encryption keys ([[key3.db]]), the saved names and passwords (logins.json and any signons*.* files that might have been created by previous Firefox versions) in your [[Profile_folder_-_Firefox | profile]]. If that doesn't work see [[Password_Manager#Troubleshooting]].
 
===Thunderbird===
There is a [https://bugzilla.mozilla.org/show_bug.cgi?id=506638#c57 known bug] that sometimes occurs when updating from 2.0.0.24 to Thunderbird 3.* that causes Thunderbird to think you set a master password even though you never created one. If this happens,  try [[#Resetting the master password|resetting the master password]] as explained above. If that doesn't work exit Thunderbird and delete the key3.db file in your [[Profile_folder_-_Thunderbird | profile]].
 
==External links==
 
*The StartupMaster add-on for [https://addons.mozilla.org/en-us/thunderbird/addon/startupmaster/ Thunderbird]  and [https://addons.mozilla.org/en-us/firefox/addon/startupmaster/ Firefox] supposedly works around a bug where you are prompted for the master password multiple times.
* [https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/ Firefox Master Password System Has Been Poorly Secured for the Past 9 Years] - [https://bugzilla.mozilla.org/show_bug.cgi?id=524403 bug report]
*[http://support.mozilla.com/kb/Protecting+stored+passwords+using+a+master+password Protecting stored passwords using a master password (Firefox Support)]
*[http://support.mozilla.com/kb/Forgot+my+master+password Forgot my master password (Firefox Support)] - [https://bugzilla.mozilla.org/show_bug.cgi?id=524403 bug report]
*[https://bugzilla.mozilla.org/show_bug.cgi?id=995268 Firefox Sync and Master Passwords are now mutually exclusive] bug report
*[https://bugzilla.mozilla.org/show_bug.cgi?id=1176399 Multiple requests for master password when GMail OAuth2 is enabled] bug report (Thunderbird)
[[Category:Issues (Firefox)]]
[[Category:Privacy and security]]
[[Category:Privacy and security (Thunderbird)]]

Latest revision as of 23:28, 18 March 2018

The Password Manager can be used to automatically fill in the username/password needed to access web sites and log into mail servers. However, it stores the passwords unencrypted in a database file in the profile. The passwords can be easily viewed using Firefox or Thunderbird menu commands. If you step away from your PC for a moment it only takes about 15 seconds for somebody else to see your passwords. Its recommended that you set a master password if anybody else has physical access to your PC. If you do that the passwords will be stored encrypted, and anyone using your profile will be prompted to enter the master password when access to the stored passwords is needed. Its also a good idea if you installed S/MIME certificates.

However, a master password will not prevent anybody else from reading locally stored e-mails, reading your browsing history, or from accessing sites the browser is already logged in to. Alternatives to the built-in Password Manager such as Keepass or Lastpass provide their own implementation of a master password.

If you decide to set a master password write down a copy of your passwords somewhere safe beforehand. Its usually trouble free, but if you run into a problem with the master password frequently the only workaround is to delete it, which will delete the stored passwords.

Using a master password

Using a master password is not selected by default; you will need to set one in the Password Manager, as explained below under Setting a master password. You can view using a master password as a way to authenticate who you are to the Software Security Device, just as you do with a server on a web site: you log into a web site and enter your credentials and you do the same if supplying the master password.

If you supply the Master Password in the popup window that you see if a master password is needed, then you log in to the Software Security Device (Firefox uses: "Tools -> Options -> Advanced -> Encryption: Certificates: Security Devices: Software Security Device"). If you select the Software Security Device then you notice an enabled "Log Out" button if you are logged on, otherwise the "Log In" button is enabled in that window. Access to the encrypted names and passwords is possible as long as you are logged on to the Software Security Device and you need to log out to prevent others from accessing that data if you leave your computer unattended. "Tools > Clear Private Data : Authenticated sessions" does the same, but also additionally will log you out of secure web sites. You may need to clear the cookies to log out of other sites.

Setting a master password

  • Firefox: "Tools -> Options -> Security / Passwords -> Use a master password"
  • Thunderbird: "Tools -> Options -> Privacy -> Passwords -> Set Master Password"
  • Mozilla Suite/SeaMonkey: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Change Password"

Make sure that you are able to remember or otherwise retrieve the master password you choose. For security reasons, you will need to supply your current master password before you can change or remove it.

Changing your master password

  • Firefox: "Tools -> Options -> Security / Passwords -> Change Master Password"
  • Thunderbird: "Tools -> Options -> Privacy -> Passwords -> Change Master Password" (not shown unless a master password is set)
  • Mozilla Suite/SeaMonkey: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Change Password"

Removing your master password

  • Firefox: "Tools -> Options -> Security / Passwords -> Uncheck "Use a master password". You will be prompted for your Master Password.
  • Thunderbird: "Tools -> Options -> Security -> Passwords -> Change Master Password"

Resetting the master password

If you have lost or forgotten your master password or you want to disable the feature, you can reset the master password. Resetting the master password will remove all stored password information. Upon resetting, you will lose all the stored information in the Password Manager, as this is a built-in security feature to prevent people from simply resetting your Master Password to gain access to your passwords.

  • Firefox: Enter chrome://pippki/content/resetpassword.xul into the Location Bar (address bar), press the "Enter" key and click "Reset".
  • Thunderbird: Choose Tools ->Developer Tools-> Error Console, paste the expression: openDialog("chrome://pippki/content/resetpassword.xul") and press the Evaluate button. That will open a dialog asking you if you want to reset your password.
  • Mozilla Suite/SeaMonkey: "Edit -> Preferences -> Privacy & Security -> Master Passwords -> Reset Password".

Asked for a master password despite never setting one

Firefox

Sometimes when you install Firefox and import passwords from a Mozilla Suite or SeaMonkey profile that causes Firefox to think you set a master password even though you never created one. [1]. If this happens, reset the master password as explained above.

If that doesn't work exit Firefox and delete the encryption keys (key3.db), the saved names and passwords (logins.json and any signons*.* files that might have been created by previous Firefox versions) in your profile. If that doesn't work see Password_Manager#Troubleshooting.

Thunderbird

There is a known bug that sometimes occurs when updating from 2.0.0.24 to Thunderbird 3.* that causes Thunderbird to think you set a master password even though you never created one. If this happens, try resetting the master password as explained above. If that doesn't work exit Thunderbird and delete the key3.db file in your profile.

External links