Master Password Encryption in FireFox and Thunderbird

February 27th, 2009

firefox-logoIf you are allowing Mozilla FireFox or Thunderbird to remember passwords to web sites and/or email accounts in their Password Manager tool, you should know that these passwords are all stored in a plain text file (base64 encoded) on your computer’s disk drive.  This file is accessible to anyone with administrative access to your computer.  If you have any concerns about the possibility of other people accessing your computer and this gaining easy access to copies of the passwords that you are using, you really need to employ the “Master Password” feature of these programs.

What is the Master Password feature?

When you enable use of Master Passwords in FireFox and Thunderbird, you are prompted to enter a special “master” password.  From that point forward, all of the passwords that you save are encrypted using this “master” password as the key.  This protects the password database from other users of your computer; it also then requires you to enter the master password once per program session so that FireFox and Thunderbird can open the password file for you.

We recommend that you delete all saved passwords before enabling the Master Passwords feature.  There are some references to some versions of these programs possibly only encrypting NEW passwords once the Master Password is enabled.  Just to be safe, clear all saved passwords just before or after you enable this.

How Secure are the Encrypted Passwords?

When Master Passwords are in use, the data is encrypted using 3DES in CBC mode by default.  If you choose a good, strong master password, then this level of encryption should be fine.  3DES is rated to be good for general use through 2020.

You should be aware that there are programs out there designed to crack open the saved passwords.  One such program is FireMaster.  If you do not choose a strong Master Password, then your encrypted database may be susceptible to being broken into.  For help on choosing a strong password, see: Security Simplified: The Base+Suffix Method for Memorable Strong Passwords.

Can the Security be Improved?

You can make the stored password encryption FIPS 140-1 compliant by using an alternate security module.  See (in FireFox for Windows) “Tools > Options > Advanced > Encryption > Security Devices > Enable FIPS”.  This improves the encryption strength and makes it more difficult for guessing programs to open the encrypted passwords database.

However, if your Master Password is not well chosen, then a simple dictionary or variation attack may be able to discover it.

How do you enable a Master Password?

In FireFox (v3 in Windows … it is likely similar in other versions and OSes), under “Options”, find the “Security” tab and check the “Use a Master Password” checkbox.  You will then be prompted to choose a Master Password.

In Thunderbird (v2 in Windows … it is likely similar in other versions and OSes), under “Tools > Options > Privacy > Passwords”, choose “Use a master password to encrypt stored passwords”. You will then be prompted to choose a Master Password.

Don’t Rely on the Password Manager Alone to Remember Your Passwords!

If your computer should be lost, compromised, destroyed, or otherwise beyond usage, your passwords will all be lost unless you have a record of them elsewhere.  If you can keep them all in your head, that would be best.  However, for us mere mortals, we need some kind of separate secure password storage system. There are many software solutions out there.  However, we recommend use of our own web-based, secure Password Management WebAide.