@ David C. Shamino:
Excellent, detailed reply with lots of useful information. Thanks, David.
Now if I only I could remember why I stopped using the FF password manager, years ago… something must have made me nervous…
One thing I recall is that, since Thunderbird (email program) back then was also from Mozilla, I had the same master password for both. Now that Tbird is basically independent of Mozilla (I think), I suppose it ought to have its own separate password.
1PW8 currently (well since August) suffers from annoying issues with FaceID not working — waiting for the fix, I went back to 1PW7 for the time being
I don’t have that problem. I hope it gets worked out for you. I was having an issue early on with the extension for iPad OS, but that’s been better for months now.
This, again, would be an issue if Firefox/Mozilla has their data store stolen as Lastpass did. With 1P and iCloud Keychain, there is another key that tangles with your password. The 2FA on Firefox sync wouldn’t help you in that case - they already have the data.
Chrome has a similar system but IIRC it defaults to using just your account credentials to encrypt. But you can optionally add a sync password that does make it stronger. But, again, the same issue if the data is lost.
(I’m hoping that Google and Mozilla have better security over their backup data than Lastpass did.)
I don’t think so.
As I understand the Firefox documents, your password is used to generate two different cryptographic tokens. One is the encryption key for the data, and the other is an access token for logging in to the web site. And you can’t derive one from the other.
According to their documents, your plaintext password is never sent to their server. It is only used locally to generate the key and access token, only one of which (the token) is shared with the Firefox server.
If someone gets your plaintext password, then yes, you’re SOL, because that generates both.
But if someone hacks their server, they will get the encrypted data and the access token. But they shouldn’t be able to generate the decryption key from that access token. They would need to run through the usual password-cracking mechanism (dictionaries, brute-force, etc.) to try and access the data. Either to determine the key for decrypting the data or to determine the plaintext password for generating the access token (which can then generate the decryption key).
In other words, as far as I can tell, the security of your data will almost entirely depend on the security of your chosen password. So pick something with sufficiently high length and complexity (based on whatever you personally consider sufficient) and I think it will be fine.
After a bit more web searching, I found that yes, the password database is encrypted using a locally-stored key stored in a file named key4.db. Your master password encrypts this file.
If you don’t have a master password, then this file is left as plaintext, and anyone copying it along with logins.json can then copy it to a newly-created Firefox profile and read/export the contents. If there is a master password, then someone could still copy it to a new system, but they’d need the master password to decrypt everything.
Which means that if this is a concern for you, a master password with a strong password will be important.
I can’t believe anyone here is actually talking about remembering more than two or three important passwords (i.e. Apple ID/iCloud, 1PW master password, Firefox master password, etc.) It’s just not possible. And I say that as someone who has found myself to be something of a ‘password savant’ (
). I work as a one-man “Mac Doctor”, helping clients with all manner of issues on their Apple devices. I’ve found that I often sit down in front of a regular client’s Mac, even if I haven’t seen them in months, and their login password will just come to me. Of course, these passwords are all simple, old-school ones such as Maggie1, mydoghasblackstripeS4$, Mom’s4*kids, etc. Strange, nonetheless, eh? I also have probably close to a dozen of my own regularly-used passwords memorized, though they’re mostly in the 12-16 character range. My primary wifi password is 20 characters; it’s essentially a long made up word with a number and a symbol.
Bottom line though, is that everyone needs some sort of ‘password manager’, even if it’s just a piece of paper. We simply can’t be expected to remember the kinds of passwords we’ve been discussing here. (Even weirdos like me. 
) I’m currently a very unhappy user of 1PW; the mess they’ve made of it in version 8.x? Don’t even get me started on that…
Bottom line though, is that everyone needs some sort of ‘password manager’, even if it’s just a piece of paper. We simply can’t be expected to remember the kinds of passwords we’ve been discussing here. (Even weirdos like me.
Yep…I remember the 5 login passwords for my Macs, 1PW master, and AppleID…but beyond that they’re all in 1PW v7 and will never be in v8 unless they fix the many issues and lost capabilities over v7…but their VC part owners are driving the train now and they e refocused on enterprise customers and subscriptions to the detriment of regular users.
Apparently 600,000 is now recommended.
At a former workplace, we used an electric typewriter to do this. It was capable of re-printing pages, and was not internet connected. That way, nothing internet connected had a glimpse of the passwords.