Random stuff from Patrick Crispen

How to Fix Firefox's Saved Passwords Security Problem

If you use Mozilla Firefox--and you should--I have something interesting to show you:

  1. Launch Firefox.
  2. Go to Tools > Options
  3. Click on the "Privacy" padlock icon
  4. In older versions of Firefox, click on the + sign next to the words "Saved Passwords." In newer versions of Firefox, just click on the "Passwords" tab.
  5. Click on the "View Saved Passwords" button.
  6. Click on the "Show Passwords" button.
  7. When Firefox asks you if you'd really like to show your passwords, click on the "Yes" button.
  8. Wail and gnash your teeth.

While it is common knowledge that Firefox can "remember login information for web pages so that you do not need to re-enter your login details every time you visit," most people don't know that Firefox stores your web passwords in PLAIN TEXT. [Well, Firefox does encrypt the passwords you ask it to remember, but anyone who has access to your computer can easily unencrypt these passwords by following those eight steps above.]

Should you panic? Nah. Unless you share your computer with others, the only way someone is going to be able to view your saved web passwords is if that person has access to your computer. If you have a firewall on your computer and lock your home's front door when you leave, your saved web passwords are pretty safe.

Of course, that's just my opinion. Let me add that if you share your computer with others, or if you just want to make absolutely sure your saved web passwords are significantly safer, you have three options:

  1. "Throw the baby out with the bathwater": Disable the "Remember Passwords" feature in Firefox so that the program never remembers any of your web passwords.
  2. "Lock down Firefox": Create a new, master password that automatically locks all of your passwords from snoops.
  3. "Lock down your computer": Use your computer's user accounts feature along with a screensaver password to require everyone whose uses your computer to login.

In my humble [controversial] opinion, the last option is the best. It solves not only the Firefox saved password security problem but also a host of other security issues we don't need to go into today. How do you use the accounts feature to lock down your computer? Well, we'll get to that later.

Disable Remember Passwords

If you want to permanently disable Firefox's "Remember Passwords" Feature [which I don't recommend, but that's just me],

  1. Go to Tools > Options > Privacy
  2. Click on the + sign next to the words "Saved Passwords" or, in newer versions of Firefox, click on the "Passwords" tab.
  3. Click on the "View Saved Passwords" button.
  4. Click on the "Remove All" button. [To the Firefox gurus out there: Yes, you can do the same thing in "Clear Private Data." But you still have to go to the Passwords tab to disable "Remember Passwords." I just figured we'd take the direct route.]
  5. Click on the "Close" button.
  6. Uncheck "Remember Passwords."
  7. Click on the "OK" button.

Doing this clears all of your old web passwords and prevents Firefox from remembering any new web passwords in the future.

Set a Master Password

Another way to lock down Firefox is to set a "Master" password. This is a special password Firefox asks you to key in once per session. Key in the correct master password and Firefox works just like it used to work by auto-filling your saved usernames and passwords on your favorite sign-in pages. Key in an incorrect master password, however, and Firefox automatically blocks your saved usernames and passwords from displaying. Sign in pages will still load, but the username and password boxes will be blank.

To set a master password,

  1. Go to Tools > Options > Privacy
  2. Click on the + sign next to the words "Saved Passwords" or, in newer versions of Firefox, click on the "Passwords" tab.
  3. Click on the "Set Master Password" button.
  4. Key in a new "master" password.
  5. Click on OK.

Set Up User Accounts

I recognize that what I am about to say next is extraordinarily controversial and MANY really smart people disagree with this, but I prefer option three: user accounts. When you set up a user account in Windows XP or Mac OS-X, your operating system creates a special folder into which it stores all of your personal files and settings, including the encrypted passwords you have asked Firefox to remember. This means that other users of your computer won't be able to access your saved passwords in Firefox unless they first login to your user account on your computer. Additionally, setting up and using limited user accounts in Windows XP is a wonderful way to keep some spyware at bay because XP's limited user accounts do not have permission to install new software.

Again, this is controversial. Feel free to skip this if you want. For information on how to set up user accounts in Windows XP, check out either http://www.dummies.com/WileyCDA/DummiesArticle/id-350.html or http://www.microsoft.com/windowsxp/using/setup/getstarted/configaccount.mspx. The former is an excerpt from Wiley's "Windows XP for Dummies" book and the latter is page from Microsoft.

Windows ME users can learn about ME's built-in User Profiles tool [which isn't as neat or secure as XP's but beats a sharp stick in the eye] at http://tinyurl.com/rgzpw and Windows 98 users should read http://tinyurl.com/ltuzk.

To set up user accounts in Mac OS-X, just go to System Preferences > Accounts and follow the on-screen prompts. That's it.

Update Firefox

Finally, no matter what method you choose to secure Firefox, you should also take a moment to make sure you are running the latest version. Open Firefox and go to Tools > Options. If you see a bunch of icons down the *left* side of the screen -- General, Privacy, Content, etc. -- YOU HAVE THE OLD VERSION OF FIREFOX which, unfortunately, is vulnerable to all sorts of nasty stuff! You really need to download the latest version.

Copyright © 2014 Patrick Crispen. Contents licensed to the public under the Creative Commons Attribution-NonCommercial-ShareAlike 3.0 license. All other rights reserved.