I hope, one day, there will be an article about using secure password / password managers whilst using Android browsers.
Q: How save are the built in password managers, when using a master password?

My experience is that rd party desktop password managers, that are working fine on desktop pc’s and usually have good add-ons for Windows Internet browsers in place, well, they very much fail when using wellknown browsers on a tablet.

Personally I use Chrome (Windows) and Chrome on Android its built in password manager for non-financial sites (like forums).
I never use my tablet-browser for banking purposes though..

I use Roboform to log into banking sites (or some other, strictly personal, sites).

hello,

I’m running Bitwarden with the latest stable Chrome, no issue so far.

Nope… and actually, I just used 12345 as the password since I was just testing whether or not it was stored in plain text or was machine reversible if you didn’t have the master password (I wasn’t testing for password strength or attacks on the password, I was testing for attacks on the data at rest).

Not only is the url not encrypted, but neither is metadata such as when the site was last accessed and others. Sure… probably not a huge deal; but the more a potential attacker knows about you and your habits, the easier their job becomes. In terms of the data that *is* encrypted, it looks like AES128; but I’m not 100% sure on that… I didn’t actually try to figure that out. Like you, I figured it would have to be a decent algorithm.

Please trial

Ah OK. I thought you may have tried brute force. Yes I opened the password file with DB sqlite reader and the login URL was not encrypted and wondered why not. Will have to presume Mozilla did their due diligence and is using something strong for encryption. Otherwise they would be the laughing stock.

I booted up a testing VM from a pre-configured snapshot (fresh Windows 10 install with browsers, notepad++ and a few other misc applications installed), updated FireFox to the latest version, set a master password, then submitted fake credentials to a random login page and saved the credentials. Once that was done, I attempted to use a password extractor from nirsoft which failed. I then inspected the db3 and db4 sqlite files and the json file that contains the passwords. I did confirm that the username and password was encrypted, but the (substantial) metadata stored in the password manager regarding each login was not.

Looking into KeePass now.
So what did you use for your test?

Ok… so I just ran a test on the latest version of FireFox. Assuming you use a (strong) master password, the passwords themselves are fairly safe. The problem is that there is still information disclosed in plain text that would not be in a fully encrypted password manager such as KeePass, LastPass, dashlane, etc.

You would honestly be better off using KeePass (which is free) with the browser extension – it would perform the same ease of access as the built in manager, and wouldn’t have the information disclosure issue.

Honestly, it’s been awhile since I’ve needed to get into a password protected Firefox password manager (the large majority of people don’t set the master password). The last time that I did, I found that there was no encryption what-so-ever even with a master password. I believe I read somewhere that it may have been added in recent years. I’ll spin up my sandbox VM tomorrow and experiment with it and let you know what I find. :)

Let’s look at Mozilla. I don’t use Chrome. I realise that if you do not use a master password on Firefox then then it is as you say. It’s useless. Now throw in a password. One like the above K3s+zL4xq&KW*H, or just a long enough phrase like !le?pickle^elephant*chien++

They are words in 2 languages. But you will never see that phrase in real life.

The question me and the other poster are really asking is how strong is the Firefox encryption of the passwords file provided you use a good password and not 12345 because what you described in your first post is you are able to break bad practices by looking at the low hanging fruit. I’m certain you can.

Brute force could be used but in how much time and I’m not talking about a Nation State Agency breaking the top terrorist’s computer.

I’m talking about a normal Jane Doe on the street who was compromised. Will that malware writer spend ages breaking that password file or move on to something easier which has a better chance of success like a burglar not wasting time breaking into a wired house and move the the neighbour who is not wired.

The built-in password manager (by default) on browsers is either not encrypted (meaning the passwords are stored as plain text somewhere), or at best it uses machine reversible encryption (which means that it doesn’t take much for someone with a decompiler to reverse the encryption). This means that I don’t need to know a password to get in, I just use a standard tool to extract the passwords from the local database. Yes, depending on the browser, there may be ways to change that; but if you are going to store passwords on your computer, it would generally be considered preferable to use an application that is specifically designed for that (and therefore better prepared to handle the security implications).