Questions to Master Password options via GPO

4 views
Skip to first unread message

Osdoba, Sascha

unread,
Aug 24, 2022, 6:11:33 AMAug 24
to enter...@mozilla.org
Hi,

Edge and IE asks for windows user password if you want to know a certain password from a saved website login.
Firefox is doing this only if you use a master password.

3 questions:

1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.

2. if I enable the GPO setting "primary (master ) password" will users have to set a master password in firefox even if they don't have saved logins?

3. is enabling master password the only option to enhance security to the password database of firefox?


last month we have a seen a malicious script that tried to copy the password database from firefox and thunderbird as well. So I guess if you
have no master password set your logins could be easily revealed after copying.


Regards,

Sascha

Wes Kocher

unread,
Aug 24, 2022, 7:36:22 AMAug 24
to enterprise

1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.

I believe loading the full password manager can be made to prompt for the Windows authentication before it lets you see/edit any saved passwords, but not for individual passwords being filled in directly on the websites themselves. I think the Windows authentication feature might be mutually exclusive to having a primary password established. 


2. if I enable the GPO setting "primary (master ) password" will users have to set a master password in firefox even if they don't have saved logins?

That would be my understanding of how it works. 


3. is enabling master password the only option to enhance security to the password database of firefox?

last month we have a seen a malicious script that tried to copy the password database from firefox and thunderbird as well. So I guess if you
have no master password set your logins could be easily revealed after copying.

Without a primary password set, Firefox's password storage is only lightly encrypted via keys stored in the key4.db file, which is right next to the logins.json file in the Firefox profile folder. If an attacker can get those two files, reading the saved login info is trivial. The primary password adds an off-disk layer of encryption. 

Osdoba, Sascha

unread,
Aug 24, 2022, 10:28:04 AMAug 24
to enterprise

Hi,

 

thanks for your answer.

 

1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.

 

>I believe loading the full password manager can be made to prompt for the Windows authentication before it lets you see/edit any saved passwords, but not for individual passwords being filled in directly on the websites themselves. I think the Windows authentication >feature might be mutually exclusive to having a primary password established. 

 

and how can I get the Windows password manager to be used instead of the master password?

 

 

2. if I enable the GPO setting "primary (master ) password" will users have to set a master password in firefox even if they don't have saved logins?

 

>That would be my understanding of how it works. 

 

Ok but if no passwords are saved then its not necessary to have a master password set. So setting it would be annoying to users who are not saving passwords in browser.

 


3. is enabling master password the only option to enhance security to the password database of firefox?


last month we have a seen a malicious script that tried to copy the password database from firefox and thunderbird as well. So I guess if you
have no master password set your logins could be easily revealed after copying.

 

>Without a primary password set, Firefox's password storage is only lightly encrypted via keys stored in the key4.db file, which is right next to the logins.json file in the Firefox profile folder. If an attacker can get those two files, reading the saved login info is trivial. The >primary password adds an off-disk layer of encryption. 

 

Thank you for the clarification

 

 

Regards,

 

Sascha

Osdoba, Sascha

unread,
Aug 25, 2022, 4:58:45 PMAug 25
to enterprise

could I possibly get an “official” answer from Mozilla?

 

Thanks,

 

Sascha

--
You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.
To view this discussion on the web visit https://groups.google.com/a/mozilla.org/d/msgid/enterprise/0e42b3ba57a94dc5b0248f6d6027fa67%40gsi.de.

Mike Kaply

unread,
Aug 29, 2022, 11:26:57 AMAug 29
to Osdoba, Sascha, enterprise
 > 1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.

We created this feature but haven't turned it on by default. If you go to about:config and flip the pref signon.management.page.os-auth.enabled, you can get this behavior.

> 2. if I enable the GPO setting "primary (master ) password" will users have to set a master password in firefox even if they don't have saved logins?

Only if they try to save a password or do something that needs to access the password database.

> 3. is enabling master password the only option to enhance security to the password database of firefox?

Yes, or enabling the preference above.

> last month we have a seen a malicious script that tried to copy the password database from firefox and thunderbird as well. So I guess if you
have no master password set your logins could be easily revealed after copying.

I'm interested in knowing more about this to pass information on to our security team. Is there anyone we can communicate about to get more information about what happened?

Mike


F L

unread,
Aug 30, 2022, 7:42:33 AMAug 30
to enter...@mozilla.org, mka...@mozilla.com, enterprise
Le lundi 29 août 2022 à 17:26:57 UTC+2, mka...@mozilla.com a écrit :
 > 1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.

We created this feature but haven't turned it on by default. If you go to about:config and flip the pref signon.management.page.os-auth.enabled, you can get this behavior.
Hi,
I try but don't understand how it works. Ask Windows password but ask too to create a master password.
I believe when activate this, it just ask Windows password when register or need to fill forms.

Mike Kaply

unread,
Aug 30, 2022, 9:43:07 AMAug 30
to F L, enter...@mozilla.org
On Tue, Aug 30, 2022 at 7:42 AM F L <florent...@gmail.com> wrote:


Le lundi 29 août 2022 à 17:26:57 UTC+2, mka...@mozilla.com a écrit :
 > 1. can I use the same behavior in Firefox as in Edge/IE so it will ask for windows user password? I guess not but wanted to ask.
and yes this is only secure if your user was not a victim of phishing attack.

We created this feature but haven't turned it on by default. If you go to about:config and flip the pref signon.management.page.os-auth.enabled, you can get this behavior.
Hi,
I try but don't understand how it works. Ask Windows password but ask too to create a master password.
I believe when activate this, it just ask Windows password when register or need to fill forms.

That's correct. IT uses the Windows password instead of master password which is what I thought you were asking for.

Mike

Osdoba, Sascha

unread,
Aug 30, 2022, 10:35:10 AMAug 30
to enter...@mozilla.org

Hi Mike,

 

F.L. is not the origin sender with this questions, it was me 😊

 

So my first tests seems to be good:

 

if a master password is set this option has no effect. If no master password but this option is set then its works as it does in Edge.

 

How safe is the password database with this option? sorry but not safe at all.

 

My test scenario:

On device A with user A I saved a login with this option. Closed firefox and copied the whole profile folder from A to device B with user B

and started firefox with this copied profile, gone to passwords menu and copying password and it asks for windows password from user B

but didn’t got it that it was user A who saved it.

 

My result:

this option will only prohibit an access to not locked device to have a quick look onto the password. It will not protect the access to

the password database if someone will copy the whole profile (or may password database only – I did not test it).

 

 

>I'm interested in knowing more about this to pass information on to our security team. Is there anyone we can communicate about to get more information about what happened?

what do you want to know? Our ITSEC team has some more information about it but I have some files and scripts from this malicious try. I could send you or I can connect you to

our ITSEC team.

 

 

 

 

Regards,

 

Sascha

Hunziker, Jonas M (Henderson)

unread,
Aug 30, 2022, 10:47:26 AMAug 30
to Osdoba, Sascha, enter...@mozilla.org

>>My result:

>>this option will only prohibit an access to not locked device to have a quick look onto the password. It will not protect the access to

>>the password database if someone will copy the whole profile (or may password database only – I did not test it).

 

That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.

 

Setting a Master password within Firefox is probably the only way to slightly increase security of the stored passwords because that Master password should be used to encrypt them, but I would recommend moving away from browser-stored passwords towards an open-source solution such as KeePass. Leaving stored passwords in a standard location (Firefox profile) is too easy of a target for malware to find and export. We also know nothing of the encryption scheme used by Firefox to protect these passwords, do we?

 

Jonas

Mike Kaply

unread,
Aug 30, 2022, 10:47:41 AMAug 30
to Osdoba, Sascha, enter...@mozilla.org
On Tue, Aug 30, 2022 at 10:35 AM Osdoba, Sascha <S.Os...@gsi.de> wrote:

Hi Mike,

 

F.L. is not the origin sender with this questions, it was me 😊

 

So my first tests seems to be good:

 

if a master password is set this option has no effect. If no master password but this option is set then its works as it does in Edge.

 

How safe is the password database with this option? sorry but not safe at all.


Yes, we have a bug open for encrypting the database separately from the master password.


It's still being worked on.
 

 

My test scenario:

On device A with user A I saved a login with this option. Closed firefox and copied the whole profile folder from A to device B with user B

and started firefox with this copied profile, gone to passwords menu and copying password and it asks for windows password from user B

but didn’t got it that it was user A who saved it.

 

My result:

this option will only prohibit an access to not locked device to have a quick look onto the password. It will not protect the access to

the password database if someone will copy the whole profile (or may password database only – I did not test it).

 

 

>I'm interested in knowing more about this to pass information on to our security team. Is there anyone we can communicate about to get more information about what happened?

what do you want to know? Our ITSEC team has some more information about it but I have some files and scripts from this malicious try. I could send you or I can connect you to

our ITSEC team.


Yes, I would appreciate that. I at least want to make sure our team is aware if it's something new in the wild.

Mike
 

Osdoba, Sascha

unread,
Aug 30, 2022, 11:53:22 AMAug 30
to Hunziker, Jonas M (Henderson), enter...@mozilla.org

>That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.

 

but this doesn’t seems to be true if you can copy the whole profile from user A to user B. And user B has then access to the password database from user A.

 

 

>Setting a Master password within Firefox is probably the only way to slightly increase security of the stored passwords because that Master password should be used to encrypt them,

>but I would recommend moving away from browser-stored passwords towards an open-source solution such as KeePass. Leaving stored passwords in a standard location (Firefox profile)

>is too easy of a target for malware to find and export. We also know nothing of the encryption scheme used by Firefox to protect these passwords, do we?

 

in a perfect world maybe, but we have users 😊 and users are users. You can tell them do not use this function but they will do what they want to do. OK you could restrict access to password

manager in firefox (or other browsers too). Myself is saving some passwords in firefox (with a very long master password) and I like it. And yes we also use keepass and offer it also to our users

but its somewhat uncomfortable (but a lot of our users use it and in our group we use it as shared password database as well). At least I want to achieve that users who are saving passwords in browser

are using some kind of extra password/master password.

 

We tried KeepassXC some time ago its nice with the in firefox use function (via addon) but it was hard to deploy because you had to update firefox and keepassxc addon so they always match. We canceled it.

 

Sascha

Osdoba, Sascha

unread,
Aug 30, 2022, 1:23:29 PMAug 30
to enter...@mozilla.org

two more findings regarding master password:

 

  1. if one or more passwords are already saved before setting “master password to enabled” you can still use and update these without adding a master password.

So you can workaround the master password until you create a new saved login or use the update function from the website where you login

(editing on logins & password site is still possible without being forced to set master password)

  1. I found no options to force some strong master password, even “12” as master password works

 

Sascha

 

Von: enter...@mozilla.org <enter...@mozilla.org> Im Auftrag von Osdoba, Sascha

--

You received this message because you are subscribed to the Google Groups "enter...@mozilla.org" group.
To unsubscribe from this group and stop receiving emails from it, send an email to enterprise+...@mozilla.org.

Hunziker, Jonas M (Henderson)

unread,
Aug 30, 2022, 2:13:24 PMAug 30
to Osdoba, Sascha, enter...@mozilla.org

>>That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.

 

>but this doesn’t seems to be true if you can copy the whole profile from user A to user B. And user B has then access to the password database from user A.

 

I’m not sure I follow?! I have a profile with stored logins and a Master password set. If I copy the whole Firefox profile to a different Windows user, it asks for the Master password before unlocking the logins. If I just copy the logins.json file to a different user’s Firefox profile, I have no logins displayed within Firefox. If I also copy the matching key4.db, I am again asked for the Master password before the logins are shown. Thus, it would at least appear that the Master password is used to lock the logins, unless it is just a flag within Firefox that prompts for the Master password, then uses some hardcoded key to unlock them?! Or perhaps I’m completely misunderstanding what you mean.

 

But asking for the OS password when no Master password is set does not appear to offer any added protection of the login store, as you noticed as well. It just makes it harder for the maid to look at passwords on a computer left unlocked.

 

>in a perfect world maybe, but we have users 😊 and users are users. You can tell them do not use this function but they will do what they want to do. OK you could restrict access to password

 

Agreed. The way we went here, we don’t force anything as far as securing of passwords goes (no Master passwords or anything of that sort). Users are using MFA for domain stuff and are never admins on their devices, so if they store personal passwords in their browser and those logins “walk off”, they are responsible, not the IT department (and it becomes a potential HR issue). Akin to leaving all their keys in the unlocked car and not being able to blame the manufacturer when the car is stolen.

 

Jonas

Osdoba, Sascha

unread,
Sep 1, 2022, 2:58:31 AMSep 1
to Hunziker, Jonas M (Henderson), enter...@mozilla.org

>but this doesn’t seems to be true if you can copy the whole profile from user A to user B. And user B has then access to the password database from user A.

 

my statement referred to the the option “signon.management.page.os-auth.enabled” not to the master password

 

>Agreed. The way we went here, we don’t force anything as far as securing of passwords goes (no Master passwords or anything of that sort). Users are using MFA for domain stuff and are never admins on their devices, so if they store personal passwords in their browser and those logins “walk off”, they are responsible, not the IT department (and it

>becomes a potential HR issue). Akin to leaving all their keys in the unlocked car and not being able to blame the manufacturer when the car is stolen.

 

we did this also for years but I am trying to enforce some things. I am not sure how the users will react, the test persons said ah ok good to know then we will set a master password and its fine. Lets see how the other 1500 persons will react.

 

 

Sascha

 

Von: Hunziker, Jonas M (Henderson) <jonas.h...@kctcs.edu>
Gesendet: Dienstag, 30. August 2022 20:13
An: Osdoba, Sascha <S.Os...@gsi.de>; enter...@mozilla.org
Betreff: RE: [Mozilla Enterprise] Questions to Master Password options via GPO

 

>>That’s really all it can do. Otherwise, the minute you change your Windows/Domain password, you are no longer able to decrypt the passwords within Firefox.

Reply all
Reply to author
Forward
0 new messages