Let’s force Mozilla to change how passwords are shown in Firefox

June 5th, 2014

Mid-summer last year Elliot Kember discovered that Chrome saves passwords in plain text on your computer and, with a few clicks, anyone sitting at your desk can see them.

This made some waves in the community and, as you can see from the bottom of Kember’s post, had the likes of Chrome’s Head of Security, many press outlets, and even Sir Tim Berners-Lee involved.

At first, the Chrome team scalded Kember calling him a novice. Then, not long after, they changed their policies and instituted a similar policy to Safari. (Whether it is more secure or not is still being debated but from an average user’s perspective it feels much safer.)

Firefox still has the same issue.

It turns out, Mozilla still hasn’t changed their policy and you can get to someone’s passwords for every single site they’ve logged into with just a few clicks. That includes Twitter, Pinterest, and, yes your email and bank accounts. Try it yourself: Open Firefox, open Preferences, click on Security, click on Show Passwords. Firefox will politely ask you “Are you sure?” and then boom, full plain text passwords.

Firefox, show passwords button

Firefox does have a “master password” that you can set within that same Security tab (I suggest you set one while you’re in there) to make it a bit tougher for people to get to. But that’s just another password to remember. Why not simply use the system password?

The debate is that if someone has gotten onto your computer than I suppose all efforts to make it secure can be thrown out of the window. However, there is a scenario in which that simply isn’t true. Say I’m at work with dozens of employees around me and I go to the bathroom. I forget to put my computer to sleep or to lock and someone rolls over to my cubicle and with four taps has my email password.

So why can’t we ask, collectively, that Mozilla change its policies to match the other browsers on the Mac? If someone has a system password on their Mac it should ask them for that password before it will show any passwords in plain text. If they use the master password feature they can use that password instead, perhaps. But at least have something.

So, who knows someone at Mozilla?