Mozilla Connect

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

TL:DR although this would be really nice in theory the laws of mathematics mean that this probably cant be implemented in a way that provides meaningful security

Firstly, I would like to say that if this was actually feasible, it would be really nice.  It would be great to be able to have a short, memorable password to enter to decrypt the password store but this being insufficient to easily dump all the passwords, however unfortunately the laws of mathematics prevent us from having nice things.

Overall, this would weaken security, since both passwords would by necessity have the capability to decrypt the password store (a brute force attack now has double the chance of succeeding on each guess).  Even if Firefox enforced this, there would be nothing to stop an external program from loading the password store and decrypting it using either password.  Since Firefox is open-source, there is no "security" from obscurity here either - someone else could trivially patch Firefox to allow either password to have full privileges, or rip out the password store code and embed it in their own application. 

The only feasible way to implement this in a secure manner would involve relying on a TPM to seal the encryption key, however not every device will have a TPM and using one increases the risk that the key will be lost (e.g. hardware failure of the TPM, some system configuration changing and invalidating the seal etc).

When you came up with this feature request you may have been thinking of how PDFs can be encrypted with two passwords, with one giving the rights to view the document and one giving the rights to edit (with one or both of these passwords being able to be blank), however this relied on PDF readers and editors to respect the difference between the reader and editor password.  In practice, software that ignores this difference exists (allowing you to fully remove protection from a PDF with just the viewer password).

The other thing you mentioned was using a shorter easier password to access the browser (not just use the saved passwords).  I take this to mean that you want the browser to be inoperable if the password is not provided.  If you are trying to prevent access to all browser data, wouldn't having separate user accounts on your computer be sufficient to accomplish this?  If you are trying to prevent the usage of a web browser in its entirety, are you aware that Firefox allows you to create multiple profiles with independent browser data (you can enable this feature by running `firefox -ProfileManager` and deselecting "Use the selected profile without asking at startup" to make the profile manager always appear when starting Firefox without a profile open)?