Firefox - Never let it save passwords

So I was messing around Firefox and found that under Options - Security and the Saved Logins button you can view all the saved passwords from all web pages that some one has. By default it does not show the password just the website name and the username for the account. But their is a show passwords button that shows the full password.

I never looked into Firefox before so to me this is rather shocking. If I were to be on a shared family computer and accidentally let Firefox save my login anyone on the computer can see my login information if their was only one user account that others shared with me. But I believe the same can be said that if their were multiple accounts on the system as their is an import button where one can import the data from another user on the machine and see what their passwords are and the websites that they have accounts for.

Just imagine if your parents bank account was saved by Firefox and the computer is shared with you. Man the implications of just thinking about this is mind boggling. Also this could be how hackers take information. They just have to get access to the computer copy Firefox and take the info easily.

I do not know if this feature is evident in other web browsers I would have to go see. I can't believe Firefox made it this easy to view password information in a day and age like this.

I do not know if anyone else knew about this. Most likely you knew, but just in case you didn't hopefully you know now.

You can - if you need - use firefox as password manager but than you should set a master password to protect the saved passwords;

I have all my browser set to never save form data; so also no user names and passwords.

Not only that it saves the passwords, it also allows you to set a Master Password so this is needed to be entered (idk when starting / instead of any webpage pw / first fill form thing).
To separate users, you can use different profiles. That combined with the Master Password would allow privacy for everyone.
Yes it is bad, even when the password is automatically entered, you can always edit the html to make the ***** visible.

Thanks for pointing that out. I found the button and will create a password.

It would make more sense tho to tell people to set a master password when the installer finishes.

It's not convenient and not how IE did/does it ... imagine old pop that just was forced to switch an than that... convenience is the killer of security.

Chrome does that as well. I'm not sure about other browsers because I don't use them but it wouldn't surprise me if they had a similar thing.

I'm surprised you didn't know this. This isn't exactly a hidden feature. Linux Chromium (I don't know for sure with the others) saves passwords on a keyring and you can easily access them. I use it all the time for those sites that you use once in a decade and you don't remember the password. But NEVER for important sites.

This is why you NEVER save any of those kinds of passwords. There is a reason why you are told to NOT save your bank account passwords.

The master password is prompted when you launch Firefox and if it isn't entered the passwords will not autofill.

The same thing goes for chromium. Setting a master key will cause it to prompt when launched. If you don't enter a password it doesn't fill.

Google also saves passwords on the cloud if you do the autofill thing. If you go to
My Account > Sign-in & Security > Manage Passwords
you get all of the passwords you have entered for saving.

I never really knew what happened when you let Firefox or a browser save a password I just thought that they kept it encrypted somewhere until I ask for it. I never looked under settings to see that its available to you. Sometimes I can be a bit thick.

I am not old enough to do banking yet so luckily I am safe.... for now ;)

How exactly would it encrypt the password without you entering a password? :P Any way it encrypts it Firefox can just decrypt it without issue.

Don't your bank have two-factor authentication on their website?

its not that shocking its been there for ages... there are special 'viruses' simply exporting your profile to their remote server location to collect passwords etc... then someone just launches chrome/firefox with your profile files and has it all... since firefox 2.1 or even earlier?

1 Like

Chrome has a similar feature - you have to re-enter your OS logon password before it will show them though. Not super secure, but the first step to being secure IMO is not sharing a PC with anyone.