Questions to Master Password options via GPO
Osdoba, Sascha
Edge and IE asks for windows user password if you want to know a certain password from a saved website login.
Firefox is doing this only if you use a master password.
3 questions:
1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.
2. if I enable the GPO setting "primary (master ) password" will users have to set a master password in firefox even if they don't have saved logins?
3. is enabling master password the only option to enhance security to the password database of firefox?
last month we have a seen a malicious script that tried to copy the password database from firefox and thunderbird as well. So I guess if you
have no master password set your logins could be easily revealed after copying.
Regards,
Sascha
Wes Kocher
1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.
2. if I enable the GPO setting "primary (master ) password" will users have to set a master password in firefox even if they don't have saved logins?
3. is enabling master password the only option to enhance security to the password database of firefox?
last month we have a seen a malicious script that tried to copy the password database from firefox and thunderbird as well. So I guess if you
have no master password set your logins could be easily revealed after copying.
Osdoba, Sascha
Hi,
thanks for your answer.
1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.
>I believe loading the full password manager can be made to prompt for the Windows authentication before it lets you see/edit any saved passwords, but not for individual passwords being filled in directly on the websites themselves. I think the Windows authentication >feature might be mutually exclusive to having a primary password established.
and how can I get the Windows password manager to be used instead of the master password?
2. if I enable the GPO setting "primary (master ) password" will users have to set a master password in firefox even if they don't have saved logins?
>That would be my understanding of how it works.
Ok but if no passwords are saved then its not necessary to have a master password set. So setting it would be annoying to users who are not saving passwords in browser.
3. is enabling master password the only option to enhance security to the password database of firefox?
last month we have a seen a malicious script that tried to copy the password database from firefox and thunderbird as well. So I guess if you
have no master password set your logins could be easily revealed after copying.
>Without a primary password set, Firefox's password storage is only lightly encrypted via keys stored in the key4.db file, which is right next to the logins.json file in the Firefox profile folder. If an attacker can get those two files, reading the saved login info is trivial. The >primary password adds an off-disk layer of encryption.
Thank you for the clarification
Regards,
Sascha
Osdoba, Sascha
could I possibly get an “official” answer from Mozilla?
Thanks,
Sascha
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
enterprise+...@mozilla.org.
To view this discussion on the web visit
https://groups.google.com/a/mozilla.org/d/msgid/enterprise/0e42b3ba57a94dc5b0248f6d6027fa67%40gsi.de.
Mike Kaply
> 3. is enabling master password the only option to enhance security to the password database of firefox?
have no master password set your logins could be easily revealed after copying.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/33c50a6941aa4324b65dc3beb501ad1f%40gsi.de.
F L
> 1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.and yes this is only secure if your user was not a victim of phishing attack.We created this feature but haven't turned it on by default. If you go to about:config and flip the pref signon.management.page.os-auth.enabled, you can get this behavior.
Mike Kaply
Le lundi 29 août 2022 à 17:26:57 UTC+2, mka...@mozilla.com a écrit :> 1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.and yes this is only secure if your user was not a victim of phishing attack.We created this feature but haven't turned it on by default. If you go to about:config and flip the pref signon.management.page.os-auth.enabled, you can get this behavior.Hi,I try but don't understand how it works. Ask Windows password but ask too to create a master password.I believe when activate this, it just ask Windows password when register or need to fill forms.
Osdoba, Sascha
Hi Mike,
F.L. is not the origin sender with this questions, it was me 😊
So my first tests seems to be good:
if a master password is set this option has no effect. If no master password but this option is set then its works as it does in Edge.
How safe is the password database with this option? sorry but not safe at all.
My test scenario:
On device A with user A I saved a login with this option. Closed firefox and copied the whole profile folder from A to device B with user B
and started firefox with this copied profile, gone to passwords menu and copying password and it asks for windows password from user B
but didn’t got it that it was user A who saved it.
My result:
this option will only prohibit an access to not locked device to have a quick look onto the password. It will not protect the access to
the password database if someone will copy the whole profile (or may password database only – I did not test it).
>I'm interested in knowing more about this to pass information on to our security team. Is there anyone we can communicate about to get more information about what happened?
what do you want to know? Our ITSEC team has some more information about it but I have some files and scripts from this malicious try. I could send you or I can connect you to
our ITSEC team.
Regards,
Sascha
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/CAHueOzD%2BLqRzoDkfmSxbXSB51sDOTduE%2BhFnn2%3Dogd2wmX4kyA%40mail.gmail.com.
Hunziker, Jonas M (Henderson)
>>My result:
>>this option will only prohibit an access to not locked device to have a quick look onto the password. It will not protect the access to
>>the password database if someone will copy the whole profile (or may password database only – I did not test it).
That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.
Setting a Master password within Firefox is probably the only way to slightly increase security of the stored passwords because that Master password should be used to encrypt them, but I would recommend moving away from browser-stored passwords towards an open-source solution such as KeePass. Leaving stored passwords in a standard location (Firefox profile) is too easy of a target for malware to find and export. We also know nothing of the encryption scheme used by Firefox to protect these passwords, do we?
Jonas
Mike Kaply
Hi Mike,
F.L. is not the origin sender with this questions, it was me 😊
So my first tests seems to be good:
if a master password is set this option has no effect. If no master password but this option is set then its works as it does in Edge.
How safe is the password database with this option? sorry but not safe at all.
My test scenario:
On device A with user A I saved a login with this option. Closed firefox and copied the whole profile folder from A to device B with user B
and started firefox with this copied profile, gone to passwords menu and copying password and it asks for windows password from user B
but didn’t got it that it was user A who saved it.
My result:
this option will only prohibit an access to not locked device to have a quick look onto the password. It will not protect the access to
the password database if someone will copy the whole profile (or may password database only – I did not test it).
>I'm interested in knowing more about this to pass information on to our security team. Is there anyone we can communicate about to get more information about what happened?
what do you want to know? Our ITSEC team has some more information about it but I have some files and scripts from this malicious try. I could send you or I can connect you to
our ITSEC team.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/69292e7a64504368a9fa9b2a23c799da%40gsi.de.
Osdoba, Sascha
>That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.
but this doesn’t seems to be true if you can copy the whole profile from user A to user B. And user B has then access to the password database from user A.
>Setting a Master password within Firefox is probably the only way to slightly increase security of the stored passwords because that Master password should be used to encrypt them,
>but I would recommend moving away from browser-stored passwords towards an open-source solution such as KeePass. Leaving stored passwords in a standard location (Firefox profile)
>is too easy of a target for malware to find and export. We also know nothing of the encryption scheme used by Firefox to protect these passwords, do we?
in a perfect world maybe, but we have users 😊 and users are users. You can tell them do not use this function but they will do what they want to do. OK you could restrict access to password
manager in firefox (or other browsers too). Myself is saving some passwords in firefox (with a very long master password) and I like it. And yes we also use keepass and offer it also to our users
but its somewhat uncomfortable (but a lot of our users use it and in our group we use it as shared password database as well). At least I want to achieve that users who are saving passwords in browser
are using some kind of extra password/master password.
We tried KeepassXC some time ago its nice with the in firefox use function (via addon) but it was hard to deploy because you had to update firefox and keepassxc addon so they always match. We canceled it.
Sascha
Osdoba, Sascha
two more findings regarding master password:
- if one or more passwords are already saved before setting “master password to enabled” you can still use and update these without adding a master password.
So you can workaround the master password until you create a new saved login or use the update function from the website where you login
(editing on logins & password site is still possible without being forced to set master password)
- I found no options to force some strong master password, even “12” as master password works
Sascha
Von: enter...@mozilla.org <enter...@mozilla.org>
Im Auftrag von Osdoba, Sascha
--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to
enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/4d3eb7ad13b5491290714cded4ec57ac%40gsi.de.
Hunziker, Jonas M (Henderson)
>>That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.
>but this doesn’t seems to be true if you can copy the whole profile from user A to user B. And user B has then access to the password database from user A.
I’m not sure I follow?! I have a profile with stored logins and a Master password set. If I copy the whole Firefox profile to a different Windows user, it asks for the Master password before unlocking the logins. If I just copy the logins.json file to a different user’s Firefox profile, I have no logins displayed within Firefox. If I also copy the matching key4.db, I am again asked for the Master password before the logins are shown. Thus, it would at least appear that the Master password is used to lock the logins, unless it is just a flag within Firefox that prompts for the Master password, then uses some hardcoded key to unlock them?! Or perhaps I’m completely misunderstanding what you mean.
But asking for the OS password when no Master password is set does not appear to offer any added protection of the login store, as you noticed as well. It just makes it harder for the maid to look at passwords on a computer left unlocked.
>in a perfect world maybe, but we have users 😊 and users are users. You can tell them do not use this function but they will do what they want to do. OK you could restrict access to password
Agreed. The way we went here, we don’t force anything as far as securing of passwords goes (no Master passwords or anything of that sort). Users are using MFA for domain stuff and are never admins on their devices, so if they store personal passwords in their browser and those logins “walk off”, they are responsible, not the IT department (and it becomes a potential HR issue). Akin to leaving all their keys in the unlocked car and not being able to blame the manufacturer when the car is stolen.
Jonas
Osdoba, Sascha
>but this doesn’t seems to be true if you can copy the whole profile from user A to user B. And user B has then access to the password database from user A.
my statement referred to the the option “signon.management.page.os-auth.enabled” not to the master password
>Agreed. The way we went here, we don’t force anything as far as securing of passwords goes (no Master passwords or anything of that sort). Users are using MFA for domain stuff and are never admins on their devices, so if they store personal passwords in their browser and those logins “walk off”, they are responsible, not the IT department (and it
>becomes a potential HR issue). Akin to leaving all their keys in the unlocked car and not being able to blame the manufacturer when the car is stolen.
we did this also for years but I am trying to enforce some things. I am not sure how the users will react, the test persons said ah ok good to know then we will set a master password and its fine. Lets see how the other 1500 persons will react.
Sascha
Von: Hunziker, Jonas M (Henderson) <jonas.h...@kctcs.edu>
Gesendet: Dienstag, 30. August 2022 20:13
An: Osdoba, Sascha <S.Os...@gsi.de>; enter...@mozilla.org
Betreff: RE: [Mozilla Enterprise] Questions to Master Password options via GPO
>>That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.