LearnYour passwords are showing…

Treehouse
writes on August 6, 2008

Share with your friends










Submit

A lot of geeks and developers out there are using Mozilla Firefox. It’s a fantastic browser, and I highly recommend it. Firefox has been a huge factor in the progress of web development. Where would we be without the Web Developer Toolbar and Firebug?

However, there’s one place you have to be careful using Firefox – password management. You know the little “Remember Password” button you click when you log in? Turns out Firefox doesn’t mind showing you the passwords you’ve saved, in plain text. It’s no secret – others have previously blogged about it – but it does bear repeating. This is the default behaviour, so if you haven’t already spotted this, then chances are it applies to you right now. That means someone unscrupulous can come along and read your passwords. Like this:

First, go into “Preferences” in Firefox (on a mac, hit Cmd-,) and head to the Security tab. Then click the Saved Passwords button as shown here:

Security window in Firefox

This will bring up a Passwords window. I’m not showing you mine. But look for this button at the bottom right:

Show Saved Passwords button

Press this button. Voila! All your passwords are shown, in plain text, on-screen. Please note, my password is not hunter2.


This means that someone can open up Firefox on your computer, and view all your saved passwords. The way to change this is to set a master password for Firefox. Close that passwords window, and go back to the Security preferences pane. There, you’ll see an option for “Use a master password”.


This means that Firefox protects all your saved passwords with a master password which is never shown. However, get used to seeing this prompt…

Master Password prompt

because it comes up ALL the time when you’re using password-authenticated sites. Personally, I use Webkit nightly builds for everyday browsing: they’re extremely fast and stable.

0 Responses to “Your passwords are showing…”

  1. what if I forget the master password 😉

  2. @dinu: If you do, visit chrome://pippki/content/resetpassword.xul and click “OK” in the bottom-right corner. You’ll lose all your saved passwords though :)

  3. @dinu: If you do, visit chrome://pippki/content/resetpassword.xul and click “OK” in the bottom-right corner. You’ll lose all your saved passwords though :)

  4. Thanks Elliott, I used a master password but I didnt realise people could have seen all my passwords if I didnt have that set up! Cheers

  5. If only Firefox let me require the master password only for revealing my password list instead of every single time I want to use a saved one…

  6. Thanks man… this was a great tip and a major help!

  7. I’d be less worried that someone could see my password in plain view within the ‘Saved Passwords’ dialog of the Security tab in the Preferences pane of Firefox than them actually sitting at my computer with direct access to said “secure” website!!

    I’ve never understood the need to save a password in the browser.

  8. It doesn’t require the master password each and everytime you use one. It asks for it just once per instance run of FF.

    @ceejayoz If it asked the master password to reveal the list, but not when you use them. Then the password would need to be stored in clear on your disk and would be pretty easy to retrieve.

  9. Thanks for the top, just a quick note… to access preferences for Firefox 3 on Mac OSX Leopard its CMD, not CMD- (which is zoom out).

  10. @James: That says “CMD-,” which means the CMD key and the comma key :)

    @Sam – good point! I guess saving passwords should be reserved for less-crucial sites.

  11. First time poster long time follower. Thanks for the great tip and taking the extra effort to put this post together. Keep up the good work!

  12. I also ran into this when I used “View Page Info” on a site with Firefox, and was surprised to see my passwords for that site shown to me. I’d imagine most users are naive about this. Firefox should really have a “Manage Passwords” button which is shown alongside those “Remember” and “Never for this site” buttons.

  13. because it comes up ALL the time when you’re using password-authenticated sites.

    Seconding jfno above, it shouldn’t be coming up all the time. It typically appears once when your browser is freshly loaded. Perhaps you use Cmd+Q a lot instead of keeping your browser in memory all the time?

  14. Elliot, whats your wallpaper – you know with the sky and tree? Good post btw!

  15. If you’re in an environment where you’re this concerned about someone sitting down at your computer and stealing your passwords there are a few things to consider:

    1. It’s probably time to have a discussion with this person who you think will be stealing passwords.
    2. If you don’t know the person and are just careless enough to leave your computer open, chances are the person who wants to steal your passwords knows a better way and can get around this system (I can think of plenty of apps and methods to steal passwords that are in fact more efficient and faster than this method).

    What situation would this be useful in? This is like a prescription drug, it just cures the symptom. In reality, we should be trying to get people less reliant on their computer remembering their passwords and not writing them down on little sticky notes that are posted on their monitors.

  16. Hey @Luke, thanks for your comment – there’s actually two backgrounds shown there,

    Elevation by coffeelover,
    http://interfacelift.com/wallpaper_beta/details/1188/elevation.html

    and Lazy Days li by boss019,
    http://interfacelift.com/wallpaper_beta/details/1232/lazy_days_ii.html

    Check out the other wallpapers InterfaceLIFT – I downloaded a whole bunch of their desktop backgrounds and set them to shuffle.

    @Tyler – you’re absolutely right, password security is very important. However for less-important passwords, like forum log-in details, this method of remembering passwords comes in handy. People will use the feature because it’s readily available, so it’s best that they know what they’re using.

    @Peter Cooper and @jfno, you’re right, thanks :)

  17. Hi there,

    I stumbled here from there: http://www.smashingmagazine.com/2007/11/22/30-more-excellent-blog-designs/

    If you unclick the Remember Passwords For Site box then no passwords will be saved. Isn’t this the easiest option???

    Rache

  18. Good call, people should know about this as some shifty person could look at someone elses passwords and notice a pattern for future abuse.

    I’ve started using Lastpass now though.

    Ref: https://addons.mozilla.org/en-US/firefox/addon/8542

    So far it seems pretty damn decent.

  19. chris is a good person he has never been in trouble before leave him alone.

Leave a Reply

Learn to code with Treehouse

Start your 14 day free trial today and get access to hundreds of video courses in web development, design and business!

Learn more