Skip to content
This repository has been archived by the owner on Feb 20, 2023. It is now read-only.

Feature Request: Bring Back Master/Primary Password For Firefox Android #14501

Closed
buzeak opened this issue Aug 30, 2020 · 23 comments
Closed

Feature Request: Bring Back Master/Primary Password For Firefox Android #14501

buzeak opened this issue Aug 30, 2020 · 23 comments

Comments

@buzeak
Copy link

buzeak commented Aug 30, 2020

Hello there,

I have always been a big fan of Mozilla, Firefox for windows is my primary web browser, I love keeping my passwords in my Firefox Account, where they are kept safe, synced, and always accessible to me in an emergency.

And I love the new Firefox for android (79.0.5), but I am very concerned about the security of my passwords on my Android mobile phone.

Currently, in the event of phone theft, both Firefox and Lockwise for Android rely completely on the Android authentication system to keep my passwords safe.

This would be OK, but the Android authentication system is surprisingly weak, it can easily be disabled and reset, even on the latest android device, here are two of the many online tutorials that outline some of the most common methods of how to do this:

https://hackonology.com/blogs/top-8-method-to-hack-bypass-android-screen-lock-2020/

https://joyofandroid.com/how-to-unlock-android-phone/

You can read about and download iMyFone LockWiper for Android here: https://android.imyfone.com/remove-phone-lock/

And you can read about and download Dr.Fone Screen Unlock for Android here: https://drfone.wondershare.com/android-lock-screen-removal.html

The previous Firefox for android had a master password option, which did what is currently necessary, it asked me to enter my password each and every time I wanted to fill a password input, and it was also required to view/edit/add/delete accounts.

It was the only password I needed to remember, and it kept all my passwords safely encrypted on my phone, just the weak encryption needed upgrading, please see: https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-master-password-is-still-insecure/

Firefox and Lockwise for android are currently not safe to store your passwords in, this needs fixing, users are currently being given a false sense of security, they need to be warned and deserve better.

I was not expecting a security downgrade, but I can't complain, I do not contribute much towards Mozilla projects, I love what you guys do!

Please feel free to send me a message if you have any questions or problems.

Many thanks, Charles

┆Issue is synchronized with this Jira Task

@github-actions github-actions bot added the needs:triage Issue needs triage label Aug 30, 2020
@zpcol
Copy link

zpcol commented Aug 30, 2020

don't save anything password in cloud :)
you can try KeePassDX with OTP full offline proccess :)

@ekager ekager changed the title My Passwords Are No Longer Safe! Please Bring Back Master/Primary Password For Firefox Android Feature Request: Bring Back Master/Primary Password For Firefox Android Aug 30, 2020
@ekager ekager added feature request 🌟 New functionality and improvements Feature:Privacy&Security and removed needs:triage Issue needs triage labels Aug 30, 2020
@buzeak
Copy link
Author

buzeak commented Aug 30, 2020

Thank you for suggesting KeePassDX, I have now installed it on my phone :)

I'm very happy with the security of my passwords stored in my Firefox account, I have looked closely into this, and I can't find any way that they could be accessed without my Firefox account password.

Being a web developer who has researched many aspects of online security, I know that cloud storage can be extremely safe, and can be a lifesaver if your device is lost, stolen, forgotten or dead.

The technology just needs a little more development and trust, which is what Mozilla does best.

@s-ankur
Copy link
Contributor

s-ankur commented Aug 31, 2020

See also #14428

@buzeak
Copy link
Author

buzeak commented Aug 31, 2020

Thank you for the link, and yes the problem outlined in that issue is also true.

I agree that authentication should be required on each saved login access, or at least the first access after each device unlock, it would be nice to have the option for both of these, and maybe also a timer option ranging from 1 minuet to 24 hours.

But a master/primary password is also required to keep my passwords safe on my device, it is the job of the master/primary password to encrypt and decrypt saved logins, keeping them safe not only from device theft, but also from the hundreds of apps on my phone that have Android device storage access permission granted (most apps).

@liuche
Copy link
Contributor

liuche commented Aug 31, 2020

Your FxA information is already encrypted on-disk via sync - they are not stored in plaintext anyway.

The files that are storing your Fenix logins are also scoped only to Fenix by the Android OS, so unless you have a rooted phone and give other apps extra permissions, they can't access those files normally.

If someone gets physical access to your phone, yes, they could pull the password files from your physical phone but master password won't protect that.

We've decided that on Fenix, master password does not provide any additional meaningful security, and won't be adding support for it.

@liuche liuche closed this as completed Aug 31, 2020
@yoasif
Copy link
Contributor

yoasif commented Aug 31, 2020

@liuche didn't master password encrypt passwords on disk? Why would that not protect if someone gains physical access to your device? I think your comment is retroactively scary if that were not the case.

@liuche
Copy link
Contributor

liuche commented Aug 31, 2020

It did, but it is like double-encrypting something that is already encrypted by the sync key which is generally longer, more random, and therefore more secure.

@buzeak
Copy link
Author

buzeak commented Aug 31, 2020

@liuche
It is good to know that Fenix logins are scoped only to Fenix by the Android OS, I am relatively new to Android, so did not know this.

But a master password is necessary to keep your logins safe from other users and device theft, this is exactly what it was designed to do, and currently does on desktop Firefox.

Please see how it currently works on desktop Firefox here: https://support.mozilla.org/en-US/kb/using-primary-password-sync

And what it was designed to do on Android here: http://mzl.la/1xKsQrV

@buzeak
Copy link
Author

buzeak commented Aug 31, 2020

@liuche Please consider reopening this feature request.

@yoasif
Copy link
Contributor

yoasif commented Aug 31, 2020

It did, but it is like double-encrypting something that is already encrypted by the sync key which is generally longer, more random, and therefore more secure.

@liuche understood, but does this only apply to sync users? If a user is not using sync, are the passwords stored in plaintext on disk? I am a sync user, but others may not be.

@buzeak
Copy link
Author

buzeak commented Aug 31, 2020

@yoasif although you make a good point, unless you are worried about software with root permission, I do not think it makes any difference if it is stored encrypted or in plaintext on the device, because of what @liuche said:

The files that are storing your Fenix logins are also scoped only to Fenix by the Android OS, so unless you have a rooted phone and give other apps extra permissions, they can't access those files normally.

But the fact remains that a master/primary password is needed to keep your passwords safe from device theft and other users.

Until an equivalent to desktop Firefox's primary password is introduced, Firefox for Android can not be considered a safe place to store your logins.

@buzeak
Copy link
Author

buzeak commented Aug 31, 2020

It did, but it is like double-encrypting something that is already encrypted by the sync key which is generally longer, more random, and therefore more secure.

@liuche my logins can be accessed through Fenix without entering a password, even after disconnecting sync and restarting my device.

So even if my saved passwords are strongly encrypted as you suggest, the decryption key must be stored on my phone, hanging in front of the safe, as it were.

This does not replace what the master password of the previous Fenix did, it was required to decrypt saved passwords, and was kept in my head, not in my device.

We've decided that on Fenix, master password does not provide any additional meaningful security, and won't be adding support for it.

Please reconsider, as a master password does provide a lot of additional meaningful security, especially if implemented like Firefox for PC.

If you do not agree, please tell me why.

@zpcol
Copy link

zpcol commented Sep 1, 2020

hack your password :)

https://github.com/lclevy/firepwd

@liuche
Copy link
Contributor

liuche commented Sep 1, 2020

So is the use case here that you use a master password for your passwords, but you do not have a lock on your phone?

See #5938 for more details on how we store the sync key. We use the AndroidKeyStore(Android docs) for storage, which has OS-level protections. You can also read the additional Mozilla docs here about key storage on Android.

@buzeak
Copy link
Author

buzeak commented Sep 1, 2020

@liuche Thank you very much for the links full of very useful information, it confirms what I already thought.

I have a 2014 Samsung Galaxy S5 phone with a pin lock set up.

If my phone gets lost or stolen, someone could easily disable my phone lock using iMyFone LockWiper for Android, see the "Unlock Samsung Screen Lock without Data Loss" section, which claims "most Samsung devices WITHOUT losing data".

Or Dr.Fone - Screen Unlock (Android), see the "Unlock Samsung/LG" section, then click on "all devices that can be unlocked without data loss", then see my very common SM-G900F.

Although I have not tried this myself, I have read about this from several sources, I believe that they can simply disable my phone lock, the same as disabling my lock in my settings myself, which I have tried, and Fenix opened straight up, revealing all my logins.

There are also many other ways to disable phone locks on many android devices, please see the initial post.

And because lock screens slow you down a huge number of times per day, and do not encrypt your general phone data (unless you have phone encryption enabled, use internal storage, and power off your phone completely every time you use it), about half of people choose not to lock their android phones at all, and the people who do, generally use the quickest, weakest possible pattern or pin, which can easily be viewed or videoed in a public place, the thief does not even need to see your screen, they just need to watch or video you for a bit, see what your finger does, from a distance, in crowded place, before taking your phone.

I use my phone mainly as a notepad, unlocking it about 60 times per day, I do not want to enter my super strong, 10 character long, 16 tap or more, high security password, 60 times every day, often in a public place, usually just to open my notepad, calculator, or to check the forecast.

All this unlocking can leave a grease pattern and scratches on your screen or protector, revealing your pattern, or sometimes pin, especially if you work with sand, dirt, or concrete dust.

A master password could be more convenient, and protect from OS exploits, physical memory attacks, ADB attacks, and all lock screen vulnerabilities, including all device admin apps with permission to change the lock screen, such as Samsung's Find My Mobile, and Google's Find My Device.

Are you sure you no one else can, or ever will be able to access these accounts? Are these accounts linked to a secure email address and phone number? Did you leave a linked/auto login device on or without a invulnerable lock? Should I turn them off? Why does find my device keep turning on automatically? Will other device admin apps ever be installed? Will I even know when they are?

The typical account has account recovery options, this is why they can afford to have less security, but a password vault needs more than this, once your passwords are accessed, there is nothing you can do, except resetting them, one by one, you may already be too late, someone has transferred your domain, accessed the back end of your website, transferred your bitcoin out!

Account security is fast moving towards auto login/linked accounts, so passwords will need entering less and less often, and when passwords become safely locked behind primary passwords, and phones become cheaper, and phones have pocket proof on switches, lock screens will be used far less often, this is when the lock screen should be moved to where it is necessary—just the apps requiring security.

Mozilla needs to introduced an independent authentication system, free from lock screen attacks and backdoor resets, one strong password to remember, to be entered only when necessary, able to keep all your passwords safely encrypted on your device at all times, primary passwords are the future!

@buzeak
Copy link
Author

buzeak commented Sep 3, 2020

hack your password :)

https://github.com/lclevy/firepwd

@zpcol I think this only works if the attacker knows your master password, because it says: "If a master password has been set, provide it using the -p option."

@PeterMacej
Copy link

PeterMacej commented Nov 16, 2020

With all respect to developers, I think they keep failing to explain why the master/primary password is no longer needed. I think they explained that the passwords are stored safely in an encrypted format. That's OK but that's probably not the main concern of the most people.

There are several other discussions on this issue:
https://support.mozilla.org/en-US/questions/1298736
#15147

If the master password is really no longer needed (I would be glad if it was true), could the developers explain in simple words, how to solve a basic common situation. This situation was described also in this topic but I didn't see any answer:

  1. I have a very simple device unlocking mechanism. Many of my friends have none. We can argue why (people unlock their device many times a day, they're lazy, cannot use biometrics, they don't care, etc), but it's a fact. So anyone can easily open my phone with small or none effort. I'm OK with this as the only really sensitive info are the logins stored in Firefox.

  2. Now, without a primary password they can start my FF and immediately use my credentials as they are automatically filled when a site is visited. For example, when they visit github.com, they can write this comment in my name.

My question is simple, how can I prevent this to happen?

The master password solved it elegantly. I had to enter it before the first saved login info was filled in a FF session. When I close FF, no one can use my passwords even when my phone is stolen and unlocked.

A primary password would solve it easily. It can be done as optional and used only as a UI protection in FF. It doesn't have to be used for encrypting the stored credentials if they are already encrypted by other means.

@buzeak
Copy link
Author

buzeak commented Nov 16, 2020

@PeterMacej this is exactly the same situation that me, my mother, father, sister, and brother are in. The only realy sensitive info on our phones are the logins stored in Firefox.

I know that a new phone with a fingerprint unlock would be reasonably safe and quick, but like most people, I like to be able to share my phone without fail, so having no phone lock is very important to me, to my family and friends.

One of my brothers borrowed my phone the other day, but he couldn't unlock it, and almost missed the delivery.

My sister wanted to quickly take a photo, but couldn't.

My dad wanted to use the calculator.

My mother wanted to check the spelling of something online.

Smartphones are becoming very cheap, and everything is becoming backed up or stored online, so phone security is becoming less and less important, so sharing with no phone lock is becoming more and more common.

A Firefox primary password with fingerprint option would be the ultimate set-up for speed and sharability.

It makes me excited just thinking about it (✷‿✷)

@PranavBhattarai
Copy link

PranavBhattarai commented Dec 18, 2020

"Ignorance is bliss" tactic of some FF devs is absolutely amazing but bad for the end-user.

Edit: add "some" for clarity.

@pbatard
Copy link

pbatard commented Jun 24, 2021

I think it really needs to be reiterated to the FireFox developers that the people who request the master password features are not concerned about whether the password database is kept encrypted even if master password is not in use.

As numerous people have voiced above, the concern is that the phone security itself (over which, it needs to be reminded, Firefox has no control and therefore, can not dismiss with a "it should be good enough") may be either lax, breakable or disabled for varied reasons, and that, whereas most of a phone's content will be for non-sensitive information, the passwords stored and synchronised with a Firefox are exceptionally sensitive information, that people are entitled to want to see protected with an extra layer (or, more exactly, a similar layer as the one they have with master password on Desktop).

Also, with the distinction between a mobile environment and a desktop environment getting blurred every day, one thing I'd really like an answer for, if Firefox developers are considering that an encrypted OS environment protected with a password is good enough, is why they aren't also removing the master password feature for Windows or Apple users that are using disk encryption (such as bitlocker for Windows).

Or, if you consider that desktop is not secure enough to warrant the removal of the master password feature, then you're going to have to explain why, if there exist any situation where a mobile environment may also not be secured enough (and, without going into exploits, you can again look at some of the examples provided above), you would still want to remove the master password feature altogether.

As I would expect Firefox developers to be acutely aware of, security should not be the realm of the "good enough". If there exist situations where the underlying security framework, that Firefox mobile is relying on, may not actually provide the kind of security that is expected (i.e. making it incredibly hard for an unauthorized user to defeat the password/PIN protection that grants access to the encrypted device and in doing so, finding themselves entitled to peruse all the now completely unprotected phone user's web credentials), then I believe it becomes Firefox's job to make sure users can have an extra security layer.

Otherwise, I'm afraid that you are simply doing a major disservice to Firefox mobile users...

@PranavBhattarai
Copy link

@pbatard well said. 🧡

Firefox devs should reconsider this.
I hope they don't realize when it's too late.
The lockwise service can be compromise if someone doesn't do anything.

#20096 is another real life example of this. It can be only stopped by Master Password. Undermining the Master Password value is very depressing.

@devmet34
Copy link

Primary/master password feature is a good one. It definitely gives extra security to users, actually it should be dafault on every mobile browsers considering there is only 1 step protection on mobile devices which is a pin/password or even a simple pattern or even just swiping. Therefore, a second step security like primary password is a must. 2/3 step security are everywhere nowadays.

In addition to functionality, chrome doesnt have this one yet so would be wise to have this feature.

@cyberbeat
Copy link

Nowhere is explained, why physical access to the phone would be unsafe anyway? I would say, it depends how master password is implemented. For example, if there would exists a setting, which would require the master password everytime you require auto-fill (and the password database closed/unloaded from RAM after that), it should be much more secure than anything else - and you still need only to remember one single password, althoug it should be a secure one, see here:
https://irontechsecurity.com/how-long-does-it-take-a-hacker-to-brute-force-a-password/

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Projects
None yet
Development

No branches or pull requests