搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

How secure is the Firefox master password feature? How long would it take someone to discover your password using a "password recovery" tool? What is being done to improve the security of the master password feature to make it truly secure?

  • 1 个回答
  • 1 人有此问题
  • 2 次查看
  • 最后回复者为 cor-el

more options

If you do a search for "firefox master password recovery", you'll find a large number of links to software that will "recover" the master password, effectively defeating this security. I know that in the past, these have been pretty quick to use, but a recent search resulted in one that uses a brute force method, so it appears that you have improved on the security. If a brute force method is required, is it possible to use some method of encryption that would be so slow as to make this technique infeasible?

If you do a search for "firefox master password recovery", you'll find a large number of links to software that will "recover" the master password, effectively defeating this security. I know that in the past, these have been pretty quick to use, but a recent search resulted in one that uses a brute force method, so it appears that you have improved on the security. If a brute force method is required, is it possible to use some method of encryption that would be so slow as to make this technique infeasible?

所有回复 (1)

more options

If you use a weak master password that can easily be constructed via a dictionary look up then it doesn't matter how long that password is.

If you want to make it difficult then use a MP that contains uppercase and lowercase characters (e.g. a-z, A-Z) and have digits (0-9) and punctuation characters and symbols (`~!@#$%&*()-_=+[]{}\;:'",.<>/?) and the length should at least be 8, but better use at least 12.

Never use words that can be found or constructed via a dictionary look up, even if there are numbers added or some characters have a different case.

See also http://en.wikipedia.org/wiki/Password_strength


The names and passwords are encrypted with a Triple-DES key that is stored in key3.db and a master password adds an additional level to that encryption.
If you do not use a master password then having access to key3.db and signons.sqlite is sufficient to have access to the encrypted names and passwords.
Make sure that you remember that master password or else all your passwords are lost.

See http://en.wikipedia.org/wiki/Triple_DES - TripleDES (CBC mode)

由cor-el于修改