password "protection"

User Help for Seamonkey and Mozilla Suite
Post Reply
lvm
Posts: 131
Joined: June 27th, 2005, 6:17 am

password "protection"

Post by lvm »

I was using 2.49.4 configured to store site passwords and with the master password set so that seamonkey prompted for master password once on startup and each time I tried to view passwords. I was assuming that my passwords are encrypted and cannot be accessed without the master password. I now migrated to 2.53 (wg9s build) and seamonkey stopped asking for master password, when I go to the corresponding preferences tab I can see that the master password is not set, but all my passwords are still accessible - I can use them and I can view them. So it means that 2.49 master password protection was a complete fraud?
frg
Posts: 1361
Joined: December 15th, 2015, 1:20 pm

Re: password "protection"

Post by frg »

I updated 2.53 to the latest nss some time ago. It now uses cert9 and key4 db. Not sure if the migration routines remove the master password. This would be an issue for the 2.57 release notes then. Please try setting a new master password and see if you are prompted during startup or first use. If not let me know. Backup your profile just in case something goes wrong. I didn't test this much.

The code to prompt for the password each time it is needed or after a certain time has been removed for ESR60. I aligned 2.53 with it and backported the relevant patches.

In any case I store passwords only for sites I don't much care about. The encryption is weak.
lvm
Posts: 131
Joined: June 27th, 2005, 6:17 am

Re: password "protection"

Post by lvm »

It is not the question of password migration, I am unhappy because 2.53 effectively cracked open password protection of 2.49 without requesting the password. Which means that master password protection of earlier versions was phony.

As for setting master password in 2.53, it works - that is it starts prompting for master password again, cannot tell how secure it actually becomes, and after it is enabled 2.49 does indeed lose access to site passwords.
frg
Posts: 1361
Joined: December 15th, 2015, 1:20 pm

Re: password "protection"

Post by frg »

> It is not the question of password migration, I am unhappy because 2.53 effectively cracked open password protection of 2.49 without requesting the password.

That I much doubt. It can not decrypt without the password. It might be a migration issue. If you have some time please build a 2.49.4 test profile with a master password and then upgrade to the current 2.53.

> As for setting master password in 2.53, it works - that is it starts prompting for master password again, cannot tell how secure it actually becomes, and after it is enabled 2.49 does indeed lose access to site passwords.

Going back from any higher version to a lower was never supported. Might work might not but in the case of 2.53 to 2.49 it will fail for various reasons (not only new bookmarks db and nss schemes). Usually only indexed db storage becomes inaccessible which you might not even notice unless you look in the error console.
LordOfTheBored
Posts: 307
Joined: December 7th, 2005, 8:36 pm

Re: password "protection"

Post by LordOfTheBored »

lvm wrote:It is not the question of password migration, I am unhappy because 2.53 effectively cracked open password protection of 2.49 without requesting the password. Which means that master password protection of earlier versions was phony.
I wouldn't call it phony. It would just be protecting against a different threat than you thought it was("preventing someone from using your browser to screw with things" as opposed to "preventing someone from copying the password file to screw with things later"). Historically, the former would've been the bigger concern, but in the modern era the latter is.
Though both approaches in the modern era require the miscreant to attain access to the OS account. That hasn't always been true.


I can't say if the passwords are encrypted because I have actively disabled password memorization for as long as it's been around. It always sounded like a bad idea to me.
lvm
Posts: 131
Joined: June 27th, 2005, 6:17 am

Re: password "protection"

Post by lvm »

frg wrote:> It is not the question of password migration, I am unhappy because 2.53 effectively cracked open password protection of 2.49 without requesting the password.

That I much doubt. It can not decrypt without the password. It might be a migration issue. If you have some time please build a 2.49.4 test profile with a master password and then upgrade to the current 2.53.
I backed up password-protected 2.49 profile before the first use of 2.53, when I start 2.53 with this profile it does not prompt for master password and yet has access to site passwords. How does it do it? Will testing with a clean profile add any value?

Also I don't upgrade in a sense that I never run installers but unpack from zips, and have 2.49 and 2.53 (and a couple of other versions) installed side by side in separate folders, but I know that seamonkey does run some version upgrade jobs when it detects that an older version was used.
Post Reply