Browser

Use the Firefox password manager

It isn't perfect, but using the password manager built into Firefox is better than using duplicate passwords or storing them in a plain text file.

Last week, you might have read how ZF05 gives us one more reason to use unique passwords. From the article:

The key take-away from this, of course, is that you should never reuse a password between sites. Get yourself a good password manager application; you should only really have to memorize a handful of strong passwords, and store the rest in your password manager.

Keeping track of all those passwords can be quite difficult, however. I would know -- there are something like 150 different Websites for which I need to keep track of login information. It takes more than just a good memory to keep track of them all, and still maintain good password management practice.

The easy way to do it in Firefox is to use the browser's built-in password manager. Luckily, it is pretty simple to use.

Using the Firefox Password Manager

1. Tools > Options (or Preferences)

First, open the Options or Preferences menu. The image below shows the MS Windows version, through the Options selection located in the Tools menu. The Linux and BSD Unix versions of Firefox, on the other hand, keep basic configuration settings in a different location, through the Preferences selection located in the Edit menu. This article will refer to Options, because the screenshots were taken on the MS Windows version of Firefox.

2. Use a master password

Second, select the Security heading in the Options dialog. You should see a checkbox labeled "Use a master password". Make sure that checkbox is checked.

The "Remember passwords for sites" checkbox needs to be checked too, of course.

3. Change Master Password

Third, when the Change Master Password dialog comes up, you will have an opportunity to enter a password you can use to protect the rest of your passwords.

4. Password quality meter

Fourth, a "Password quality meter" will show Firefox's estimation of how strong your password is. Make sure it is a good, strong password, because you are going to use this to ensure that the rest of your passwords are safe. Passwords with a mix of both capital and lowercase letters, numbers, special characters, and even spaces, tend to be best, particularly when they are more than eight characters long.

A password you forget or have to store insecurely (in a text file or on a sticky note next to the computer) is not a good password, though, so make sure you choose something you will remember. The upside of having to remember a strong password for a password manager is that it allows you to have a lot more strong passwords without having to memorize them all.

5. Do you want Firefox to remember this password?

Fifth, when you enter login information at a particular Website for the first time, a band appears across the top of the page with a question on the left and some buttons on the right. The question it asks is "Do you want Firefox to remember this password?"

The buttons on the right are labeled "Remember", "Never for This Site", and "Not Now". If you select "Remember", of course, it will save the login information in the Firefox password manager for you. As long as you authenticate yourself with the password manager while using the browser in the future, it will fill in the login information for each Website for which you select "Remember" for you.

If you select "Never for This Site", it will not save the login information, and will never ask you again (or unless you do something to clear exceptions or settings for the password manager). If you select "Not Now", it will not save the login information, but will ask again next time.

6. Password Required

When starting Firefox 3.0, after setting up the password manager, a Password Required dialog appears, bearing the words "Please enter the master password for the Software Security Device." Firefox 3.5 doesn't bring up this dialog unless and until you open the login page for a site whose password you've saved.

7. Saved Passwords

If you want to see your login information, you can do so by opening the Saved Passwords dialog from the Security page of the Options dialog. When you open it, you will be presented with a list of sites and user names for those sites. In the screenshot here, nothing is displayed because I had not yet saved any passwords in the Firefox password manager.

If you wish to see the saved passwords themselves, you can click the Show Passwords button, and a Password column will appear beside the Site and Username columns.

8. Exceptions

Also in the Security page of the Options dialog is an Exceptions button. You can use this to manage exceptions -- to see what sites are barred from saving passwords when you click the "Never for This Site" button, and to remove exceptions from the list if needed.

Not Perfect

Because the Firefox password manager is part of Firefox, it could be regarded as one-stop shopping for security crackers and their malware. You would be better protected if you used a password manager external to the browser to save passwords; access the appropriate password in the password manager, then type or copy it into the site's login form yourself. Still, in absence of a separate password manager, this is better than using the same password across multiple sites.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

19 comments
girlgeek
girlgeek

Chrome can import passwords from Firefox without being asked for the master password.

gitme12
gitme12

Maybe it's fine; I use Firefox all the time, but I'm a Roboform user and their frequent updates give me a greater peace of mind.

lastchip
lastchip

I have been reluctant to use this option, because as far as I'm aware, all saved passwords are kept in plain text. (I'm happy to be corrected if I'm wrong). Surely we really need encrypted password "safes", if you're going to put all your "eggs in one basket". But I concede, it's better than nothing.

michaelfairburn
michaelfairburn

Use LastPass (www.lastpass.com), a fantastic Firefox add-in. I wouldn't use anything else now and I've tried all the others.

mtarekm
mtarekm

I'm using LastPass password manager , It's just perfect and you can access your passwords and credentials online.

boxfiddler
boxfiddler

If not for that last paragraph, I'd think you a pod person. etu rephrase

apotheon
apotheon

Expect more about passwords in the near future.

Neon Samurai
Neon Samurai

Anyone able to confirm one way or the other? I haven't any saved in FF but I'll see if I get a chance to check it out later unless someone knows already.

JJFitz
JJFitz

Using RoboForm2Go on a U3 or IronKey USB works for me.

martian
martian

I basically thought the same thing. Your articles are usually the ones I beeline for on TR and they rarely disappoint. That last bit definitely saved this one! ;) Personally, I use a password manager that I run from a usb stick and the db of which I backup in several locations, this way they're almost always safe. (can't totally discount every possibility of disaster) The one I prefer is called Password Corral and it hashes its database using "Blowfish" or "Diamond 2" encryption. Another nice "feature" of using this method is I also record important personal data in it in case of loss/theft etc. My CC numbers with phone numbers to call for reporting this for example. Keep up the good work Chad. Ttyl, Gary

apotheon
apotheon

If they were hashed, you wouldn't be able to retrieve them. They are, however, encrypted -- in a decryptable form. Decrypting them within Firefox requires entering your master password for the password manager (unless you don't set a master password, in which case you can display them just by telling it to, without having to enter a master password).

Neon Samurai
Neon Samurai

On Windows: Keepass Portable on USB or Keepass system install On Linux based platforms: KeepassX On osX: KeepassX On Maemo, WinCE, Blackberry or other PDA: Keepass Cross Platform with the same database file trumps single platform for my needs. With 20 char random passwords and 8 char random user names, the auto-type button is a must.

apotheon
apotheon

I appreciate the compliments from both of you, and sticking with the article to the end. This article is kind of a "baby steps" approach to getting people to adopt better password management behavior in their online lives. A lot of people aren't going to use a separate password manager, but I hope I can at least get them to use the password manager in Firefox properly.

lastchip
lastchip

Clearly I misunderstood somewhere along the line. I must reconsider it's use.

Neon Samurai
Neon Samurai

Passwords are encrypted based on master password. My terminology fell victim to a brain-fart but my understanding was correct.

martian
martian

Hi Chad, You're quite welcome. Possibly of interest, and definitely better than the one provided on the Microsoft site. passwordmeter.com Since you only need to remember the ONE password for the password manager, whichever ends up being the user's preference, it behooves us to not create insecure passwords. Anything less would be pure laziness, eh? Ttyl, Gary