Site hosting news, tutorials, tips, How Tos and more

Surprise! Firefox and Chrome display passwords in plain text

howto

Did you know that Mozilla Firefox and Google Chrome like to display your passwords in plain text? No? Well, they sure do.

If you want to see what I’m talking about, follow the steps below.

Open Firefox.

Click on the Firefox Menu at the top left corner.

FirefoxMenu

Select Options, then click on Options.

FirefoxOptions

Click on the Security tab at the top.

FirefoxSecurityButton

Click the Saved Passwords… button. This will open up the Saved Passwords box. Now click on Show Passwords Button.

Example Below:

FirefoxShowPassword

Surprise!

Did your jaw just hit the floor? I know mine did the first time I saw what Firefox was hiding from me all this time.

Is Google any better?

Now let’s open up Google Chrome and click Settings.

ChromeSettings

Once you get into your settings, scroll all the way to the bottom and click on Show advance settings…

ChromeShowAdvanceSettings

Look for the section Passwords and forms and click the Manage saved passwords link.

Select the site where you saved your password and click Show button.

ChromeShowPassword

Okay, I’m done with the surprises.

So how did Firefox and Google Chrome get my passwords in the first place?

To get the answer you must also answer this question: Have you ever seen the following notification in your web browser?

Mozilla Firefox:

FirefoxPasswordNotification

Google Chrome:

ChromePasswordNotification

Whenever you clicked on the shiny button “Remember Password” in Firefox or “Save Password” in Chrome, the site username and password are saved within the web browser – and as you also saw – displayed in plain simple text.

So what’s the big deal?

Anyone can walk up to your computer and take a quick look at your web browsers history/settings. Just imagine you’re at the office and you step away from your computer and a nosy/curious coworker gets the chance to take a look. That is why it’s important to always lock down your computer before you step away from your desk.

Additionally, say you’re unlucky enough to have some malicious software installed on your computer which happens to allow the hacker gain remote control of your desktop. The hacker will only have to wait until you are away from your computer to check your saved passwords.

What if you sent your computer out to a repair shop and they “just happened to” take a look at your saved passwords? It only takes a few seconds for them to snoop around on your computer and  do who-knows-what with your credentials.  There are a lot of different ways these passwords can be intercepted.  This just happens to be one method of interception that can be avoided.

So what’s the work-around and how do I keep my passwords safe? Fortunately there are plenty of third party plug-ins people use with their web browsers. Perhaps you can recommend what plug-in works best for you in the comment section below.

I found a plugin called LastPass. With 254,540 users and 827 reviews just for the Firefox plugin alone seems to be a great alternative. Best thing about this plugin is that it also works with the Google Chrome web browser.


7 Responses
  • Rent A Shortcut Reply

    Well if I leave my garage door open then anyone can have access to my golf clubs too. I simple close the door. Do the same for Firefox with a master password.

    When I try to view my passwords in Firefox I get “Please enter the master password for the Software Security Device.” That is because I enabled the master password. Its right there on the Security tab – which you didnt include a screen shot of. if you did then everyone would see “Use a master password” with a checkbox and immediately above the “Saved Passwords” button (again on the Security tab) there is a button named “Change Master Password”.

    That is all anyone needs to do. No third-party plugins. The entire word “third party plugin” scares me. When you install these plugins you have to click through a warning that states that the developer COULD have access to your browsing history and other sensitive items. No thanks.

    The master password in Firefox is built into the executable. Mozilla has too much to lose by sniffing passwords so I trust them. As far as Chrome goes? I dont save passwords on Chrome. But Chrome does also have a user / password feature that can lock out people who shouldnt be sniffing around. 🙂

    • Moises Reply

      Ahh Very cool information! Thanks for the heads up! I honestly did not know that you can lock down your passwords within Firefox using the Master Password option.

      Ok then folks… Set up a Master Password within Firefox and you should be good to go. I just set it up and it does protect your password list.

      Good Comment my friend. 🙂

  • Jen Reply

    Great info!

  • Dave Reply

    All someone has to do is: Export %AppData%\Mozilla to flash drive, import on other PC.

    Adding a master password can only prevent viewing it, not using it if profile is imported.

    Some think a password protected lock screen = better security, but bootable Ubuntu flash easily defeats it.

    Methods that truly help to protect your passwords:
    —————————————————————————–
    1) Never leave your PC around anyone you do not trust 100%
    2) Don’t just password protect your account, use the option to encrypt all files, too.
    3) Use portable Firefox, so the profile is on flash drive & leaves when you unplug.

    • James Reply

      Actually… You can import the profile with the other users master password all you want but you would still need to know the master password to actually use any of the passwords (the first auto-fill-in password dialog box will ask for the master password). The sqlite DB should encrypt all that stuff so it’s pretty safe afaik.

  • Rajeev Reply

    You can inspect element and see the password event if you are using master password. Atleast chrome asks you to enter the password to view password.

    Master password is also annoying feature btw, everytime I login to site whose password is stored in firefox – it asks me to enter master password everytime.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.