be Smart.
be Secure.
Phone: 800-441-6612

Master Password Encryption in FireFox and Thunderbird

firefox-logoIf you are allowing Mozilla FireFox or Thunderbird to remember passwords to web sites and/or email accounts in their Password Manager tool, you should know that these passwords are all stored in a plain text file (base64 encoded) on your computer’s disk drive.  This file is accessible to anyone with administrative access to your computer.  If you have any concerns about the possibility of other people accessing your computer and this gaining easy access to copies of the passwords that you are using, you really need to employ the “Master Password” feature of these programs.

What is the Master Password feature?

When you enable use of Master Passwords in FireFox and Thunderbird, you are prompted to enter a special “master” password.  From that point forward, all of the passwords that you save are encrypted using this “master” password as the key.  This protects the password database from other users of your computer; it also then requires you to enter the master password once per program session so that FireFox and Thunderbird can open the password file for you.

We recommend that you delete all saved passwords before enabling the Master Passwords feature.  There are some references to some versions of these programs possibly only encrypting NEW passwords once the Master Password is enabled.  Just to be safe, clear all saved passwords just before or after you enable this.

How Secure are the Encrypted Passwords?

When Master Passwords are in use, the data is encrypted using 3DES in CBC mode by default.  If you choose a good, strong master password, then this level of encryption should be fine.  3DES is rated to be good for general use through 2020.

You should be aware that there are programs out there designed to crack open the saved passwords.  One such program is FireMaster.  If you do not choose a strong Master Password, then your encrypted database may be susceptible to being broken into.  For help on choosing a strong password, see: Security Simplified: The Base+Suffix Method for Memorable Strong Passwords.

Can the Security be Improved?

You can make the stored password encryption FIPS 140-1 compliant by using an alternate security module.  See (in FireFox for Windows) “Tools > Options > Advanced > Encryption > Security Devices > Enable FIPS”.  This improves the encryption strength and makes it more difficult for guessing programs to open the encrypted passwords database.

However, if your Master Password is not well chosen, then a simple dictionary or variation attack may be able to discover it.

How do you enable a Master Password?

In FireFox (v3 in Windows … it is likely similar in other versions and OSes), under “Options”, find the “Security” tab and check the “Use a Master Password” checkbox.  You will then be prompted to choose a Master Password.

In Thunderbird (v2 in Windows … it is likely similar in other versions and OSes), under “Tools > Options > Privacy > Passwords”, choose “Use a master password to encrypt stored passwords”. You will then be prompted to choose a Master Password.

Don’t Rely on the Password Manager Alone to Remember Your Passwords!

If your computer should be lost, compromised, destroyed, or otherwise beyond usage, your passwords will all be lost unless you have a record of them elsewhere.  If you can keep them all in your head, that would be best.  However, for us mere mortals, we need some kind of separate secure password storage system. There are many software solutions out there.  However, we recommend use of our own web-based, secure Password Management WebAide.

4 Responses to “Master Password Encryption in FireFox and Thunderbird”

  1. Optimizing Mozilla Thunderbird | LuxSci FYI Says:

    […] Master Passwords: We highly recommend enabling the “Use a master password to encrypt stored passwords” option in Thunderbird under the “Privacy / Passwords” tab.  If you have Thunderbird save the passwords to your IMAP and SMTP account(s) so that you can login quickly, then anyone sitting down at your computer can open Thunderbird and read your email and send email as you.  With this option enabled, anyone opening Thunderbird will need a special password to cause email to be downloaded or sent.  Additionally, the passwords themselves will be encrypted on disk so that someone else using the same computer cannot “discover” them (even if they have administrative access to your machine).  On a related note, the Mozilla FireFox web browser also has the same feature for securely saving the passwords that you use on web sites.  For more information, see: Master Password Encryption in FireFox and Thunderbird. […]

  2. Smörgåsbord » Weave: Browser bookmark & password syncing The Right Way Says:

    […] and have it become available on your desktop, or in your profile on a friend’s machine (don’t forget to set a master password!) . Same with bookmarks. There are some issues that need to be resolved if you want to be able to do […]

  3. Stanislav Says:

    Good post! FIPS enabled and now I feel just a tad bit more secure. :)

  4. Roger Wernersson Says:

    Why on earth isn’t FIPS enable by default then?

Leave a Comment

You must be logged in to post a comment.

• Access Anywhere
• Fast and Robust
• Super Secure
• Tons of Features
• Customizable
• Mobile Friendly

Send and receive email from your favorite programs, including:

 Microsoft Outlook
 Mozilla Thunderbird
 Apple Mail
 Windows Mail

... Virtually any program that supports POP, IMAP, or SMTP

Keep your email, contacts, and calendars in sync:

 Apple iPhone and iPad
 Android Devices
 Windows Phone

... Any device with Exchange ActiveSync (EAS) support

Relay your server's mail through LuxSci via smarthost:

• Resolve issues with ISP sending limits and restrictions
• Improve deliverability with better IP reputation and IP masking
• Take advantage of Email Archival and HIPAA Compliance
• Even setup smarthosting from Google Apps!

Free web site hosting with any email account:

• Start with up to 10 web sites and MySQL databases
• DNS services for one domain included
• Tons of features and fully HIPAA capable

LuxSci's focus on security and privacy:

• Read The Case for Email Security
• Read Mitigating Security & Privacy Threats
• Review our Privacy Policy

The most accurate, flexible, and trusted filters in the business:

• Premium protection with Intel Security Saas
• Realtime virus database guards against the latest threats
• Seven-day quarantine lets you put eyes on every filtered email
• Supplement with our Basic Spam Filter for even more features

End-to-end secure email encryption — to anyone, from anyone:

• No setup required — encryption is automatic and easy to use
• Secure outbound email with TLS, PGP, S/MIME, or Escrow
• Free inbound encryption via our SecureSend portal
• Independent of your recipient's level of email security
• Widely compatible and fully HIPAA Compliant

Add an extra layer of security with an SSL Certificate:

• Secure your web site
• Debrand LuxSci WebMail with your own secure domain
• Access secure email services via your own secure domain

Encrypt your service traffic via secure tunnel:

• Add another layer of security to your SSL connections
• WebMail, POP, IMAP, SMTP, web/database access
• SecureForm posts, SecureLine Escrow, SecureSend access
• Restrict your account to VPN access only

Secure long-term message archival:

• Immutable, tamperproof email retention with audit trails
• No system requirements — minimal setup, even less upkeep
• Realtime archival of all inbound and outbound messages
• Works anywhere — even with non-LuxSci email hosting

Free data backups included with all email hosting accounts:

• Automatic backups of all email, WebAides, web/database data
• Seven daily backups and up to four weekly backups
• Unlimited restores included at no additional cost
• Custom backup schedules for dedicated servers

Automate your email management:

• Save messages to specific folders or to LuxSci WebAides
• Advanced text scanning with regular expressions
• Tag messages, alter subject lines, or add custom headers
• Filter by message charset, type, TLS status, DKIM status
• Chain filters together for even more complex actions

• Bulk add and edit users, aliases and more
• Control sharing and access globally or on a granular level
• Delegate user roles through permissions
• Configure account-wide taglines, sending restrictions, and more
• Remotely administer account via SOAP API

Share, collaborate, organize, synchronize:

• Calendars, Contacts, Documents, Notes, Widgets, Workspaces
• Fine-grained access control and security
• Access anywhere via secure web portal or smartphone
• Save over solutions like Microsoft Exchange

Free folder sharing for all email hosting accounts:

• Share mail folders with other users in your account
• Subscribe to only the folders you want to see
• Set read-only or read-write access control
• View all personal and shared folders via unified web interface

Color code and label your email messages:

• Define and assign multiple IMAP keywords to each message
• Filter, search, and sort by tags
• Compatible and synchronizes with any IMAP email client
• Also usable with WebAide entries