10-17-2023 12:50 PM
Hi,
The primary password approach that Firefox has is good but it can be better. The start-up prompt has a cancel button. This primary password only protects passwords, therefore it lets a wrongdoer access my browser history and even open websites where autologin was enabled. This can be a serious threat as it's customary for people to save their documents in a "trusted" cloud drive.
To have stronger protection, all the information associated with a user should be encrypted with the primary password. Unless the password is provided by the user NO Information should be accessible, This includes web history and auto logins too. By default, Firefox should open in a "Guest" mode.
If this kind of behavior is not intended to be implemented, I recommend informing users when they're setting a primary password that their history and auto logins will still be accessible.
Thanks
11-02-2023 10:46 AM
This is a great idea and way past due from Mozilla. If you are interested in protecting user privacy, it has to start at the point of origin. A password enabled option to open a browser to normal operation is critical in this day and time. If you enable primary password in Firefox - then the browser should not open to normal operations until the correct password is entered.
And as stated above, all contents should be encrypted: bookmarks, history, and site logins and passwords saves. If bookmarks are exported for backup purposes, then the exported file is in the clear, and becomes the responsibility of the user to protect it.
Another option would be to apply password/encryption protection for containers. An option to password protect a container and all the bookmarks within should be implemented. All history should be secure deleted when the browser is closed. Secure delete - history file overwritten with with random characters.
Thanks
02-15-2024 06:56 PM - edited 02-15-2024 06:57 PM
Also need more advanced KDF protecting the primary password from attacks. Last I heard it was only 10,000 iterations of PBKDF2. Mozilla has plenty of resources and should make security as such a higher priority.