Secure Email, Web and Form Solutions         +1 (800) 441-6612
LuxSciLuxSci
Secure Email,
Web and Form Solutions
Phone: 800-441-6612
sales@luxsci.com
support@luxsci.com

Master Password Encryption in FireFox and Thunderbird

Share Post:
More...

firefox-logoIf you are allowing Mozilla FireFox or Thunderbird to remember passwords to web sites and/or email accounts in their Password Manager tool, you should know that these passwords are all stored in a plain text file (base64 encoded) on your computer’s disk drive.  This file is accessible to anyone with administrative access to your computer.  If you have any concerns about the possibility of other people accessing your computer and this gaining easy access to copies of the passwords that you are using, you really need to employ the “Master Password” feature of these programs.

What is the Master Password feature?

When you enable use of Master Passwords in FireFox and Thunderbird, you are prompted to enter a special “master” password.  From that point forward, all of the passwords that you save are encrypted using this “master” password as the key.  This protects the password database from other users of your computer; it also then requires you to enter the master password once per program session so that FireFox and Thunderbird can open the password file for you.

We recommend that you delete all saved passwords before enabling the Master Passwords feature.  There are some references to some versions of these programs possibly only encrypting NEW passwords once the Master Password is enabled.  Just to be safe, clear all saved passwords just before or after you enable this.

How Secure are the Encrypted Passwords?

When Master Passwords are in use, the data is encrypted using 3DES in CBC mode by default.  If you choose a good, strong master password, then this level of encryption should be fine.  3DES is rated to be good for general use through 2020.

You should be aware that there are programs out there designed to crack open the saved passwords.  One such program is FireMaster.  If you do not choose a strong Master Password, then your encrypted database may be susceptible to being broken into.  For help on choosing a strong password, see: Security Simplified: The Base+Suffix Method for Memorable Strong Passwords.

Can the Security be Improved?

You can make the stored password encryption FIPS 140-1 compliant by using an alternate security module.  See (in FireFox for Windows) “Tools > Options > Advanced > Encryption > Security Devices > Enable FIPS”.  This improves the encryption strength and makes it more difficult for guessing programs to open the encrypted passwords database.

However, if your Master Password is not well chosen, then a simple dictionary or variation attack may be able to discover it.

How do you enable a Master Password?

In FireFox (v3 in Windows … it is likely similar in other versions and OSes), under “Options”, find the “Security” tab and check the “Use a Master Password” checkbox.  You will then be prompted to choose a Master Password.

In Thunderbird (v2 in Windows … it is likely similar in other versions and OSes), under “Tools > Options > Privacy > Passwords”, choose “Use a master password to encrypt stored passwords”. You will then be prompted to choose a Master Password.

Don’t Rely on the Password Manager Alone to Remember Your Passwords!

If your computer should be lost, compromised, destroyed, or otherwise beyond usage, your passwords will all be lost unless you have a record of them elsewhere.  If you can keep them all in your head, that would be best.  However, for us mere mortals, we need some kind of separate secure password storage system. There are many software solutions out there.  However, we recommend use of our own web-based, secure Password Management WebAide.

Share:
More...

4 Responses to “Master Password Encryption in FireFox and Thunderbird”

  1. Optimizing Mozilla Thunderbird | LuxSci FYI Says:

    [...] Master Passwords: We highly recommend enabling the “Use a master password to encrypt stored passwords” option in Thunderbird under the “Privacy / Passwords” tab.  If you have Thunderbird save the passwords to your IMAP and SMTP account(s) so that you can login quickly, then anyone sitting down at your computer can open Thunderbird and read your email and send email as you.  With this option enabled, anyone opening Thunderbird will need a special password to cause email to be downloaded or sent.  Additionally, the passwords themselves will be encrypted on disk so that someone else using the same computer cannot “discover” them (even if they have administrative access to your machine).  On a related note, the Mozilla FireFox web browser also has the same feature for securely saving the passwords that you use on web sites.  For more information, see: Master Password Encryption in FireFox and Thunderbird. [...]

  2. Smörgåsbord » Weave: Browser bookmark & password syncing The Right Way Says:

    [...] and have it become available on your desktop, or in your profile on a friend’s machine (don’t forget to set a master password!) . Same with bookmarks. There are some issues that need to be resolved if you want to be able to do [...]

  3. Stanislav Says:

    Good post! FIPS enabled and now I feel just a tad bit more secure. :)

  4. Roger Wernersson Says:

    Why on earth isn’t FIPS enable by default then?

Leave a Comment

You must be logged in to post a comment.

Security Certifications TRUSTe EU Safe Harbor Thawte Extended Validation SSL Certificate McAfee Secure Authorize.net Merchant