Passwords warning

This concerns non-techies like myself and was sparked by this thread on hackers http://forums.thinkbroadband.com/gaming/f/4062651-st...

I have an Amazon account on which Amazon retains my credit card details -- I don't like it but that's the way it's done. So visit Amazon, choose your goods, go to checkout and Firefox applies password, and Amazon the credit card details.

When I went into Firefox the other day I was appalled to find my Amazon password visible to anyone who switched on my computer, an open door to Amazon's warehouse ...

I deleted this password from Firefox but I wonder how many other security breaches are available via this otherwise handy feature?

On every version of Firefox I have used, my password, provided the field is correctly defined, is not visible and is just a series of dots or asterisks.

FF always asks if you want to save a password, or a change to an existing.

IE works in excatly teh same way.

Sorry I didn't make this clear. Passwords are indeed normally starred out.

But go to Options and click Saved Passwords button. They're all there

Do you leave yourself logged in? Other users shouldn't be able to access your passwords.

Do you have a "Master Password" set?

I don't use FF as my main browser - but thought I would have a check.

I upgraded to v8 yesterday.

Preferences > Security Tab > Saved Passwords... > Show Passwords

Dialogue box asking if you are sure - then boom ALL saved userids/passwords in readable format!

Not good - off to do some reading...

Thanks for the heads up

I'm a little confused. You ask to view your passwords and you complain when they are shown? Can you see anyone else's passwords?

Yes I suppose I am logged in permanently, it's my own computer in my own home and only I use it. No problem unless someone broke in and knew about this Firefox open door, but I think people should know that if someone can open your Firefox, then they can open your saved passwords too.
@ MHC -- I don't have a master password.

Create a user account and a master password for FireFox. At least then you won't have to worry too much about credit card details after the thieves have sold your computer.

Yes - I was surprised there is an option called 'Show Passwords' - especially as it's available (not locked) by default!

I was shocked that anyone passing my PC (it's in a home office so I haven't got a personal issue with this!) can display in clear text all my saved userids and passwords just with a couple of clicks.


I've just been doing some reading and it look like this has always been this way!
As I mentioned I'm not a FF user day-to-day.

I appreciate in IE you can read the encrypted passwords easily with some freely available s/w - but my 10 year old would find that harder to use but wouldn't have any problem with FF's implementation!

I've just played with 'Master Password' and it rather defeats the object for me as you still have to enter 'a' password. I don't think FF have thought this through very well - and it looks like plenty of others (when they realise how things work) think the same.

Well, if you are saving passwords and not using a master password then it doesn't really matter that they are visible, does it. Anyone with access to your computer could use your Amazon account and change the password on it if they wanted to, whether they could see it or not.

If you are going to use any form of password saving then at least make sure that you need to enter a password to access the computer; that's basic security.

We all need to decide the level of security we want. My computer is set to lock my screen after 5 minutes of inactivity. By the way you only have to enter the FireFox master password once per session.

I agree - but I think FF should by default force you to use a Master Password if you are saving passwords. Then it's the users decision if they want to change this to lessen security...


It makes me smile thinking how so many people said "move to FF" when it came out as it's so secure etc. etc.

EDIT: The hidden 'Show Master Password' hack is great!

Edited by b4dger (Fri 11-Nov-11 12:46:41)

That is an aspect of security. Mind you I maintain that anyone who is interested in security would not be using a Windows developed browser or e-mail client.

In reply to a post by AEP:

Anyone with access to your computer could use your Amazon account and change the password on it if they wanted to, whether they could see it or not.

No, you need to know & supply current pwd in order to change it.

Going to Amazon thro' IE requires the pwd every time you buy anything; it only remembers your user ID.

No you don't. If you have access to the computer you just use the "forgot password" link. An unsecured PC is a very bad idea.

Not for me (IE8/XP) - initially the password field is blank - use the TAB key to go back/forward and the password is completed...

Don't tell Firefox to save sensitive passwords. Use a master password to encrypt saved data.

EDIT: You're right! I had once told it not to remember this pwd, so TAB didn't work. If I now change it, it now prompts to remember pwd and TAB does work nest time.

Edited by XRaySpeX (Fri 11-Nov-11 14:42:54)

For that you meed to supply email addy registered with a/c, which you can't change without knowing current pwd.

In reply to a post by XRaySpeX:

For that you meed to supply email addy registered with a/c, which you can't change without knowing current pwd.

ok, here's a senario, you have access to someones pc, they you want to do what you said you can't,
1, amazon lost password send to registered e-mail addy,
lots of people use outlook or some other e-mail client do they not, so the chances are that one of those e-mail addies is the registered e-mail addy, so once the reset pw e-mail is received the hacker or whatever can change what ever they want to
basically amazon should not keep cc debit card details

For goodness sake, man! You're on the guy's computer. His email is yours.

[Edit]: And, besides, the account name, which is filled in automatically is the email address.

Edited by deleted (Fri 11-Nov-11 15:33:49)

In reply to a post by Malwaremike:

This concerns non-techies like myself and was sparked by this thread on hackers http://forums.thinkbroadband.com/gaming/f/4062651-st...

I have an Amazon account on which Amazon retains my credit card details -- I don't like it but that's the way it's done. So visit Amazon, choose your goods, go to checkout and Firefox applies password, and Amazon the credit card details.

When I went into Firefox the other day I was appalled to find my Amazon password visible to anyone who switched on my computer, an open door to Amazon's warehouse ...

I deleted this password from Firefox but I wonder how many other security breaches are available via this otherwise handy feature?

What did you expect the "show passwords" button to do exactly?

an option is to not let it store any..
and use an independant password storage program.
Like Lastpass

which has one master password, and keeps the passwords (encrypted) in the cloud, and if you have more than one PC, syncs to all of those also.. 'when you login to lastpass'

You can also have seperate sections for work/home etc keeping them seperate.

You can now afford to have unique and obscure/difficult passwords and know that lastpass will provide and keep them safe.

In reply to a post by andy88:

an option is to not let it store any..
and use an independant password storage program.
Like Lastpass

which has one master password, and keeps the passwords (encrypted) in the cloud, and if you have more than one PC, syncs to all of those also.. 'when you login to lastpass'

You can also have seperate sections for work/home etc keeping them seperate.

You can now afford to have unique and obscure/difficult passwords and know that lastpass will provide and keep them safe.

Firefox encrypts them if you use a "Master Password"