A friend of mine who was visiting saw me using Firefox as my web browser and said that I was putting myself at risk because anyone could easily snag all my site passwords due to the way that Firefox saves account passwords. Is it true? If so, how do I avoid this danger?
Well, it’s true and not true. Random people on the Internet or tricky site programmers can’t get to your password archive — which only exists if you’ve told Firefox to remember your passwords in the first place — but anyone who can spend two minutes on your computer (or laptop!) can indeed view and even print your entire set of saved account and password pairs. Scary!
Let me show you how it’s done, then I’ll let my friend Patrick Crispin of Internet Tourbus fame talk about the different possible solutions to this problem.
Start up Firefox and go into the Options or Preferences area. It turns out that both the Mac and Windows versions of the program have the same problem too. Once in the Options area, click on the Privacy icon along the top, then the Passwords tab and you’ll see this:
Notice that I have “Remember Passwords” checked: if yours is unchecked, then you should be in the clear with nothing to worry about.
Next, click on the View Saved Passwords button and you’ll see:
So far it’s a bit invasive in that you can now see the sites I visit and have accounts at, including my username. But notice the button at the bottom: Show Passwords. Click on that and a new column shows up in the window, with the password for each and every site shown in “cleartext”, easily copied, memorized or printed for anyone who can get to it.
Let me hand the virtual “talking stick” over to Patrick Crispen now for his commentary and suggested solutions:
Should you panic? Nah. Unless you share your computer with others, the only way someone is going to be able to view your saved web passwords is if that person has access to your computer. If you have a firewall on your computer and lock your home’s front door when you leave, your saved web passwords are pretty safe.
Of course, that’s just my opinion. Let me add that if you share your computer with others, or if you just want to make absolutely sure your saved web passwords are significantly safer, you have three options:
- “Throw the baby out with the bathwater”: Disable the “Remember Passwords” feature in Firefox so that the program never remembers any of your web passwords.
- “Lock down Firefox”: Create a new, master password that automatically locks all of your passwords from snoops.
- “Lock down your computer”: Use your computer’s user accounts feature along with a screensaver password to require everyone whose uses your computer to login.
In my humble [controversial] opinion, the last option is the best. It solves not only the Firefox saved password security problem but also a host of other security issues, but hopefully you’re already doing that, so let’s focus on the first two instead:
Disable Remember Passwords
If you want to permanently disable Firefox’s “Remember Passwords” Feature [which I don’t recommend, but that’s just me],
- Go to Tools > Options > Privacy
- Click on the + sign next to the words “Saved Passwords” or, in newer versions of Firefox, click on the “Passwords” tab.
- Click on the “View Saved Passwords” button.
- Click on the “Remove All” button. [To the Firefox gurus out there: Yes, you can do the same thing in “Clear Private Data.” But you still have to go to the Passwords tab to disable “Remember Passwords.” I just figured we’d take the direct route.]
- Click on the “Close” button.
- Uncheck “Remember Passwords.”
- Click on the “OK” button.
Doing this clears all of your old web passwords and prevents Firefox from remembering any new web passwords in the future.
Set a Master Password
Another way to lock down Firefox is to set a “Master” password. This is a special password Firefox asks you to key in once per session. Key in the correct master password and Firefox works just like it used to work by auto-filling your saved usernames and passwords on your favorite sign-in pages. Key in an incorrect master password, however, and Firefox automatically blocks your saved usernames and passwords from displaying. Sign in pages will still load, but the username and password boxes will be blank.
To set a master password,
- Go to Tools > Options > Privacy
- Click on the + sign next to the words “Saved Passwords” or, in newer versions of Firefox, click on the “Passwords” tab.
- Click on the “Set Master Password” button.
- Key in a new “master” password.
- Click on OK.
Thanks, Patrick, for your clear commentary on these options. This material was also originally published in the Internet Tourbus and please note that no squirrels were harmed in the writing of this blog entry.
How do I print my own saved passwords? I forget the login name and even the sites I’ve joined and there are ALOT. How do I print them when the screen closes every time I try?
can this be done with internet explorer also the viewing of passwords thing
never know how to use master password before. thanx a lot for sharing
I have always been surprised by the fact that Firefox chose to be “Insecure by Default”; asking for a password when Firefox first launches would have been so easy.
Even after enabling the password, I still don’t feel totally safe because backups are a critical aspect of security, and backing up the Firefox password database is not intuitive.
I much prefer using a Password Manager like RoboForm for Windows or 1Passwd for Mac OS X. Both of these products are “Secure by Default”, and backups are clearly documented & straight forward. In the case of 1Passwd, it integrates directly with the OS X Keychain so your passwords can be backed up when syncing to dotmac.
This is some scary stuff! I have switched to Firefox for some time now and use it particulary for important site access – financial accounts, bank records, affiliate programs, and other sites with my personal records. I didn’t even know about the “Show Passwords” function on Firefox. Thanks for pointing that out. I’ll be more cautious now!
Yikes, I didn’t know about that. Good work Dave & Patrick!