搜索 | 用户支持

防范以用户支持为名的诈骗。我们绝对不会要求您拨打电话或发送短信,及提供任何个人信息。请使用“举报滥用”选项报告涉及违规的行为。

详细了解

A small suggestion about the "MASTERE PASSWORD" and how it works.

  • 5 个回答
  • 2 人有此问题
  • 1 次查看
  • 最后回复者为 cor-el

more options

This is more me "thinking aloud" about the master password and how (I think) it works.

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

So, you set a master password, and all is good. Or is it?

Here's my concern:

You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.

You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.

But say you get some nasty software. It starts looking through your saved logins.

What is stopping it basically getting them all without your knowledge?

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed.

Thanks very much in advance.

This is more me "thinking aloud" about the master password and how (I think) it works. My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc. So, you set a master password, and all is good. Or is it? Here's my concern: You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved. You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario. But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge? My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested". I may be wrong in my concerns but I feel it is worth asking/mentioning so the problem can be addressed or my fears allayed. Thanks very much in advance.

被采纳的解决方案

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

定位到答案原位置 👍 1

所有回复 (5)

more options

选择的解决方案

teeny_weeny said

My take is that: Without it being set, all you saved logins can be seen and any saved passwords are accessible to anyone. Including remote programs, etc.

Without a Master Password, the local files can be scooped up and read by anyone with physical access to the disk. Ordinary websites and add-ons can't do that, but if remote access were granted to malware were installed, then there's a big problem.

So, you set a master password, and all is good. Or is it?
Here's my concern:
You go to a site and it asks you for your login/password. They are either saved or you save them. You are prompted for the master password and they are either saved or retrieved.
You go to another site and the saved log in is auto-completed with no input from you. That's good in that scenario.
But say you get some nasty software. It starts looking through your saved logins. What is stopping it basically getting them all without your knowledge?

I think the malware would need to capture your Master Password as you type it (keylogger) or would need to watch web pages as you browse. It wouldn't be able to just read the files on disk as in the scenario with no Master Password.

My suggestion is - though some may complain - that even if you have entered your master password, when a site requests access to your saved logins (or how ever it works) you are told with a simple "Site log in requested".

So not as painful as having to re-type your Master Password, but taking some affirmative act to fill the form? I have a suggestion.

One way to prevent websites from grabbing your login information from your password manager is to turn off autofill. Firefox will show your username(s) for the site in a drop-down from the username and password fields instead of filling anything automatically. I recommend this change if you are not in too much of a hurry and don't mind selecting it yourself. There's a checkbox for that on the Options page, Privacy & Security panel, Logins and Passwords section:

What do you think?

more options

Thanks for clearing that confusion up.

Shall search for what you suggested and turn it off.

more options

I don't want to suggest we can get rid of the risk of passwords being scraped from web pages, but at least we can get rid of fake or hidden forms being filled automatically.

more options

Yes. Thanks. I did what you suggested and that shall allay most fears.

more options

On Linux this would normally not much of an issue.

Note that you can logout of the software security device (Password Manager) by canceling a master password prompt that you get when you want to view a password in Lockwise.