搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

Usability issues and security concerns regarding password sync with a master password

  • 5 个回答
  • 10 人有此问题
  • 18 次查看
  • 最后回复者为 tz1

more options

I setup up password sync with my desktop installations and observe the following behaviours which raise major questions for me:

  1. Desktop passwords do not appear at all
  2. Deleting the private data via Android does not clear the sync, but drops master password
  3. Retrieving saved passwords for mobile login sites

Desktop passwords do not appear at all

I'm not sure if this is due to different page URLs for the mobile login pages. But even when I go to the desktop pages I only see the usernames but the passwords stay blank. Even worse: I did not find any means to check if and which passwords at all are available on the device

Deleting the private data via Android does not clear the sync, but drops master password

After clearing/removing the stored data via Android, Firefox appears clean & vanilla but the Sync links seems still in operation but now without any master password!

I'm not sure if the Firefox UI is fooling me here, because it reports successful password synchronization after that. For me it appears, that this way a adversary would have easy way to circumvent any master password as soon as he has has physical access to my device.

Retrieving saved passwords for mobile login sites

On the desktop version on a regular basis I need to copy existing passwords into modified website forms. Therefore I use the saved password dialog to reveal and paste existing passwords. How would I do that when I'm on the road?


So - how do people use this feature successfully and safely at all?

I setup up password sync with my desktop installations and observe the following behaviours which raise major questions for me: # Desktop passwords do not appear at all # Deleting the private data via Android does not clear the sync, but drops master password # Retrieving saved passwords for mobile login sites '''Desktop passwords do not appear at all''' I'm not sure if this is due to different page URLs for the mobile login pages. But even when I go to the desktop pages I only see the usernames but the passwords stay blank. Even worse: I did not find any means to check if and which passwords at all are available on the device '''Deleting the private data via Android does not clear the sync, but drops master password''' After clearing/removing the stored data via Android, Firefox appears clean & vanilla but the Sync links seems still in operation but now without any master password! I'm not sure if the Firefox UI is fooling me here, because it reports successful password synchronization after that. For me it appears, that this way a adversary would have easy way to circumvent any master password as soon as he has has physical access to my device. '''Retrieving saved passwords for mobile login sites''' On the desktop version on a regular basis I need to copy existing passwords into modified website forms. Therefore I use the saved password dialog to reveal and paste existing passwords. How would I do that when I'm on the road? So - how do people use this feature successfully and safely at all?

由frucade于修改

被采纳的解决方案

hello, it's a known issue that syncing of passwords won't work on android # when a master password is used (see bug 711636 & bug 780463). there's currently work going on for a successor of sync, so i'm fairly certain that this isn't something that will be fixed in the current system.

you're right that clearing all firefox data via android will also get rid of the master password - this is also the officially recommended way to reset the mastwer pw when you forget it: Using Master Password on Firefox for Android - so together with your first observation i'd recommend the following: disable master password, set up the sync account between desktop & android and let all contents sync, enable the master password on android afterwards, in the desktop sync options disable the syncing of passwords afterwards, so you'd have at least a snapshot of your passwords on your phone. you'd have to repeat these steps whenever you have a new patch of passwords you want to bring on the same level between the two devices...

i'm not aware of a way to access all stored usernames & passwords on firefox on android. the only thing that's possible with this extension is to expose single passwords on pages where it is autofilled by long pressing on the ●●●s.

定位到答案原位置 👍 5

所有回复 (5)

more options

选择的解决方案

hello, it's a known issue that syncing of passwords won't work on android # when a master password is used (see bug 711636 & bug 780463). there's currently work going on for a successor of sync, so i'm fairly certain that this isn't something that will be fixed in the current system.

you're right that clearing all firefox data via android will also get rid of the master password - this is also the officially recommended way to reset the mastwer pw when you forget it: Using Master Password on Firefox for Android - so together with your first observation i'd recommend the following: disable master password, set up the sync account between desktop & android and let all contents sync, enable the master password on android afterwards, in the desktop sync options disable the syncing of passwords afterwards, so you'd have at least a snapshot of your passwords on your phone. you'd have to repeat these steps whenever you have a new patch of passwords you want to bring on the same level between the two devices...

i'm not aware of a way to access all stored usernames & passwords on firefox on android. the only thing that's possible with this extension is to expose single passwords on pages where it is autofilled by long pressing on the ●●●s.

more options

Thank you philipp for you extensive and very helpful answer!

clearing all firefox data via android will also get rid of the master password - this is also the officially recommended way to reset the master pw when you forget it

I'm really hope I do misunderstand something here.

Otherwise the whole master password seems somewhat very clueless to me: If a thief or an adversary gets physical access to my phone, all he needs to to is clear data to get access to all my passwords without the need to know my master password?

more options

ok, just to make it clear: clearing the firefox data through the android settings will get rid of the master password AND all stored passwords. but as you've discovered the sync account apparently remains and stays active, so through this channel the passwords might get onto the device again. that's why i've suggested the "workaround" to disable synchronizing of passwords in the firefox options after the initial pairing in order to avoid that flaw.

if you want you could also file a bug for the issue at bugzilla.mozilla.org, though i'm not sure if something can be done about the situation or if the persistence of the sync account is something that is dictated by the android framework.

more options

Thank you for your clarifications, philipp!

In the first run I misunderstood your workaround as the general workaround to get the passwords into the secured store on the device at all.

If disabling the sync process also purges the decryption credentials it's indeed a viable workaround.

more options

It would be nice if you put up a more prominent notice, both on the "how to setup mobile sync" and in the Android apps that said something about this bug. I managed to find one sentence under "master password".

Even if you don't or can't fix it, at least you can put better warnings out about it.