Understanding Password Storage - Master Password + Topic is solved

Add-ons for Pale Moon and other applications
General discussion, compatibility, contributed extensions, themes, plugins, and more.

Moderators: FranklinDM, Lootyhoof

User avatar
fatboy
Astronaut
Astronaut
Posts: 556
Joined: 2017-12-19, 08:03
Location: Canada

Understanding Password Storage - Master Password +

Unread post by fatboy » 2023-05-12, 14:39

Good Day Folks,

I am posting this because I want to banish my ignorance. My question is about how passwords are stored by Basilisk (B) and Pale Moon (PM).

Question 1) When PM or B saves a password, is it encrypted by the browser and stored in it's Profile Directory?
Question 2) Does when one uses Master Password + , does it protect the stored encrypted password with a password?

I have two concerns:
A) Can one's browser be compromised in such a way that passwords get extracted, and does it help to use Master Password + in such a case?
B) My hard drive is currently encrypted, but I am also wondering if a malicious entity gained access to my computer remotely, can they scrape the passwords saved by B or PM from my hard drive?

I am not insinuating anything, I am really just curious as to how things work.

Thank You
Systemd Free - MX Linux, Antix Linux & Artix Linux

Michaell
Lunatic
Lunatic
Posts: 282
Joined: 2018-05-26, 18:13

Re: Understanding Password Storage - Master Password +

Unread post by Michaell » 2023-05-12, 16:32

Yes to question 1, using built-in master password. It's in logins.json file. Some things in that file are readable, like the URLs. Both user name and password are encrypted (I don't know the algorithm or level used.)

I assume Master Password + is an extension; I don't use that.
Win10home(1709), PM33.0.0-portable as of Feb 1, '24

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Understanding Password Storage - Master Password +

Unread post by Moonchild » 2023-05-12, 16:57

1) Yes. It is however not secure if not locking the store with a master password. If not using a master password, site passwords can be recovered, which is why I always strongly suggest everyone using a master password if one allows the browser to save them.
2) I can't say anything about Master Password +

A) Not when using the master password feature of the browser, unless you have installed a malicious extension that can access the password store through the browser's APIs after you've unlocked it in a browsing session. So, know what extensions you install ;)
B) On a running system, drive encryption will not protect against live access to data, period.
Malware can scrape passwords from the hard drive if you do not use a master password in the browser. if you do, then it's not possible to recover the passwords from what's stored on disk.
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

User avatar
moonbat
Knows the dark side
Knows the dark side
Posts: 4942
Joined: 2015-12-09, 15:45
Contact:

Re: Understanding Password Storage - Master Password +

Unread post by moonbat » 2023-05-13, 01:05

I use Master Password+; it makes the password protection at startup actually work as a login (you can make the browser exit if the incorrect password is entered) and fixes a long standing Firefox bug where the master password dialog would pop up multiple times. Other security features include configuring the timeout for password prompts and locking the browser on minimize or using a shortcut key.

These are just extra security features, it doesn't affect the actual encryption mechanism or the password store. For physical security, best to lock your screen when moving away from your computer.
"One hosts to look them up, one DNS to find them and in the darkness BIND them."

Image
Linux Mint 21 Xfce x64 on HP i5-5200 laptop, 12 GB RAM.
AutoPageColor|PermissionsPlus|PMPlayer|Pure URL|RecordRewind|TextFX

User avatar
fatboy
Astronaut
Astronaut
Posts: 556
Joined: 2017-12-19, 08:03
Location: Canada

Re: Understanding Password Storage - Master Password +

Unread post by fatboy » 2023-05-15, 15:43

Thank You Moonchild and Moonbat for the insights, I now understand the whole password storage thing a bit better.

Just a few notes: I only install extensions from the Pale Moon and Basilisk Page.
Also, Moonchild, do I need to create a master password for the browser before I save passwords, or is it OK if I create a Master Password for the browser after website login passwords are already saved? It sounds like the Master Password feature "locks" the browsers json files (or something) with a master password?

I will mark this as solved and definitely use a master password for Basilisk and Pale Moon.
Systemd Free - MX Linux, Antix Linux & Artix Linux

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Understanding Password Storage - Master Password +

Unread post by Moonchild » 2023-05-15, 16:10

It's fine to create and enable a master password at any point in time. When you do, the entire password store will be re-keyed (this can take a few seconds if you have a larger number of stored passwords).
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

dapgo
Fanatic
Fanatic
Posts: 204
Joined: 2016-10-11, 11:36

Re: Understanding Password Storage - Master Password +

Unread post by dapgo » 2023-05-24, 08:34

Moonchild wrote:
2023-05-12, 16:57
1) Yes. It is however not secure if not locking the store with a master password. If not using a master password, site passwords can be recovered, which is why I always strongly suggest everyone using a master password if one allows the browser to save them.
2) I can't say anything about Master Password +

A) Not when using the master password feature of the browser, unless you have installed a malicious extension that can access the password store through the browser's APIs after you've unlocked it in a browsing session. So, know what extensions you install ;)
B) On a running system, drive encryption will not protect against live access to data, period.
Malware can scrape passwords from the hard drive if you do not use a master password in the browser. if you do, then it's not possible to recover the passwords from what's stored on disk.
I thought that master password was working on the browser level but not at file system level.
Because in the past sometimes i moved files to other browser and profile, and I got no prompt asking for the masterpassword ans stored password were working.

Then i got the idea that saving password on firefox is only safe as far as the profiles is stored on a protected filesystem and there are permissions by account; so dangerous on FAT filesystem (i.e portable on usbstick)
am i missing something?

User avatar
Moonchild
Pale Moon guru
Pale Moon guru
Posts: 35402
Joined: 2011-08-28, 17:27
Location: Motala, SE
Contact:

Re: Understanding Password Storage - Master Password +

Unread post by Moonchild » 2023-05-24, 08:46

dapgo wrote:
2023-05-24, 08:34
Because in the past sometimes i moved files to other browser and profile, and I got no prompt asking for the masterpassword ans stored password were working.
That's not possible because you need the master password to unlock the password store. master passwords are session-bound and must be entered each browsing session.

However, if you used Sync, then be aware you have to set a master password on each browser yourself because master passwords are not synced (it's the only potential weakness if you are not diligent with your sync key)
"Sometimes, the best way to get what you want is to be a good person." -- Louis Rossmann
"Seek wisdom, not knowledge. Knowledge is of the past; wisdom is of the future." -- Native American proverb
"Linux makes everything difficult." -- Lyceus Anubite

Locked