Password Settings

This section describes how to set your password preferences, set your Master Password, and control other aspects of password handling.

For step-by-step descriptions of various tasks related to passwords, see Using the Password Manager.

Privacy & Security Preferences - Passwords

This section describes the Passwords preferences panel. If you're not already viewing it, follow these steps:

1. Open the &brandShortName; Edit menu and choose Preferences.
2. Under the Privacy & Security category, click Passwords. (If no subcategories are visible, double-click Privacy & Security to expand the list.)

Password Manager

Password Manager preferences allow you to

• Remember passwords: Select this checkbox to turn Password Manager on, so that it asks to store your user names and passwords at appropriate times and enters them for you automatically when they're requested. To turn off Password Manager, deselect the same checkbox.
• Manage Stored Passwords: Click this button to manage information about your stored passwords and the sites whose user names and passwords you don't want to be stored.

For detailed information about using Password Manager, including how to override it for individual sites and how to view and manage stored passwords, see Using the Password Manager.

Encrypting Versus Obscuring

If you use Password Manager or Form Manager to save passwords and personal data, this sensitive information is stored on your computer in a file that's difficult, but not impossible, for an intruder to read. This way of storing information is sometimes described as obscuring. This is the default setting that applies to information stored by Password Manager or Form Manager.

For improved protection, you may choose to protect the file with encryption. Encryption makes it more difficult (but again, not impossible) for an unauthorized person to view your stored sensitive information.

• Use encryption when storing sensitive data: Select this checkbox to turn on encryption, or deselect it to turn off encryption.

If you have not previously set a master password, you will be asked to create one. To do so, follow the instructions as they appear on your screen.

Using encryption versus obscuring for stored sensitive data is a tradeoff between improved security and convenience:

• If you use encryption, you will need to enter a master password periodically, which can be inconvenient. (For information about controlling how often it is requested, see the discussion of the Master Password timeout at Privacy & Security Preferences - Master Passwords.)
• If you use obscuring, you may not have to set a master password at all (unless you're using certificates for identification purposes), but it may be easier for a stranger who has access to your computer to steal your passwords.

For more details, see Encrypting Stored Sensitive Information.

Password Manager

This section describes how to use Password Manager dialog box to control your stored passwords. If you are not already viewing it, follow these steps:

1. Open the &brandShortName; Edit menu and choose Preferences.
2. Under the Privacy & Security category, click Passwords. (If no subcategories are visible, double-click Privacy & Security to expand the list.)
3. Click Manage Stored Passwords.

Alternatively, open the Tools menu, choose Password manager, and then choose Manage Stored Passwords from the submenu.

The Password Manager has two tabs:

1. Passwords Saved: Click this tab to view the list of sites for which Password Manager has saved your user name and password—that is, the sites for which you selected Yes in response to Password Manager's request to store logon information.

   The second column shows the user name for each site. If the password is stored in encrypted form, (encrypted) appears after the user name.

   By default, stored passwords are not displayed.

   • To see the list of stored passwords, click Show Passwords and confirm your choice.
   • To hide the passwords, click Hide Passwords.

   If you remove an entry from the list, the stored user name and password will be discarded, and you will need to log in manually the next time you visit that site.

2. Passwords Never Saved: Click this tab to view the list of sites for which you selected Never for this site in response to Password Manager's request to store logon information.

   If a site is included on this list, you will always have to type in your user name and password manually when you log onto the site.

   If you remove an entry from this list, Password Manager will again ask you, the next time you log onto the site, whether to store your user name and password.

Regardless of which tab you are viewing, you can remove entries from the list as follows:

• Remove: Select one or more entries that you want to remove, then click Remove.
• Remove All: Click this button to remove all the entries listed in the tab you are viewing.

For more information about the Password Manager, see Using the Password Manager.

Privacy & Security Preferences - Master Passwords

This section describes the Master Passwords preferences panel. If you are not already viewing it, follow these steps:

1. Open the &brandShortName; Edit menu and choose Preferences.
2. Under the Privacy & Security category, click Master Passwords. (If no subcategories are visible, double-click Privacy & Security to expand the list.)

A master password protects a security device, which is a software or hardware device that stores sensitive information associated with your identity, such as keys or certificates.

For example, the browser has a built-in Software Security Device, and you can also use external security devices, such as smart cards, if your computer is configured to use them.

The master password for the browser's built-in Software Security Device also protects stored sensitive information such as email passwords, website passwords, and other data stored by the Password Manager and Form Manager.

Each security device, whether it is software or hardware, has its own separate Master Password.

• Change Password: Click this button to set or change any of your master passwords. For information about using the Change Master Password dialog box that appears when you click this button, see Change Master Password.
• You can control how often the browser requests your master password:
  • The first time it is needed: This setting (selected by default) causes the browser to request your master password only the first time it needs access to the private key database after launching. The browser will not request the master password again until after you exit and relaunch it. This setting provides the lowest level of protection.
  • Every time it is needed: This setting ensures that the browser will never access your saved personal information without first requesting your master password. This setting provides the highest level of protection.
  • If it has not been used for [__] minutes or longer: This setting causes the browser to request your master password if it needs to access your personal information and the specified interval has elapsed since the last time it did so.
• Reset Master Password: Click this button to reset the master password for the Software Security Device. For more information, see Reset Master Password.

Change Master Password

You must remember your old master password to change it with the Change Password button.

This section describes the Change Master Password dialog box. If you're not already viewing it, follow these steps:

1. Open the &brandShortName; Edit menu and choose Preferences.
2. Under the Privacy & Security category, click Master Passwords. (If no subcategories are visible, double-click Privacy & Security to expand the list.)
3. Click Change Password.

A master password protects a security device, which is a software or hardware device that stores sensitive information associated with your identity, such as keys or certificates.

For example, the browser has a built-in Software Security Device, and you can also use external security devices, such as smart cards, if your computer is configured to use them.

The master password for the browser's built-in Software Security Device also protects your master key. Your master key is used to encrypt sensitive information such as email passwords, website passwords, and other data stored by the Password Manager and Form Manager.

You use the Change Master Password dialog box to provide the following information:

• Security Device: Each security device requires a separate master password. For example, if you are using one or more smart cards to store some of your certificates, you should set a separate master password for each one. If more than one security device is available, a drop-down list at the top of the Set Master Password dialog box allows you to choose the device whose password you want to change.
• Current password: If you are changing an existing master password, you must first type the current password. If you don't type the current password correctly, you will see the message You did not enter the current correct Master Password after you click OK. If this happens, you must retype your current password.
• New password: Type your new password into this field.
• New password (again): Type your new password again. If you don't type it the second time exactly as you did the first time, the OK button remains inactive. If this happens, try typing the new password again.

If someone uses your computer who knows or can guess your master password, that person may be able to access websites while pretending to be you. This can be dangerous—for example, if you manage your financial accounts over the Internet.

Therefore, it's important to select a master password that's difficult to guess. The password quality meter gives you a rough idea of the quality of your password as you type it based on factors such as length and the use of uppercase letters, lowercase letters, numbers, and symbols. It does not guarantee, however, that no one will be able to guess your password.

For further guidelines, see Choosing a Good Password.

It's also important to record your master password in a safe place—and not anywhere that's easily accessible to someone else. If you forget this password, you may not be able to access important information, such as websites that require passwords or certificates stored on your computer.

Master Password Timeout

After you first set a new master password, you will be asked to enter it only when the newly launched browser first needs it to access personal information, such as a user name and password, saved form data, or personal certificates.

You can control how often the browser requests your master password:

• The first time it is needed: This setting (selected by default) causes the browser to request your master password only the first time it needs access to the private key database after launching. The browser will not request the master password again until after you exit and relaunch it. This setting provides the lowest level of protection.
• Every time it is needed: This setting ensures that the browser will never access your saved personal information without first requesting your master password. This setting provides the highest level of protection.
• If it has not been used for [__] minutes or longer: This setting causes the browser to request your master password if it needs to access your personal information and the specified interval has elapsed since the last time it did so.

Reset Master Password

Warning: If you reset your master password, you will permanently erase all the encrypted web passwords, email passwords, and form data saved on your behalf by Password Manager and Form Manager. You will also lose all your personal certificates associated with the Software Security Device.

Note that encrypted passwords and form data will be lost only if you have turned on encryption for this stored information. For information about turning encryption on or off, see Turning Encryption On and Off.

To change your master password rather than resetting it, click the Change Password button in the Master Passwords preferences panel.

This section describes the Reset Master Password dialog box. If you're not already viewing it, follow these steps:

1. Open the &brandShortName; Edit menu and choose Preferences.
2. Under the Privacy & Security category, click Master Passwords. (If no subcategories are visible, double-click Privacy & Security to expand the list.)
3. Click Reset Password.

Warning: If you reset your master password, you will permanently erase all encrypted web passwords, email passwords, and form data saved on your behalf by Password Manager and Form Manager. You will also lose all your personal certificates associated with the software security device.

Encrypted passwords and form data will be lost only if you have turned on encryption for this stored information. For information about turning encryption on or off, see Turning Encryption On and Off.

If you remember your master password and decide to change it, you can do so without danger of losing any personal information. If you are viewing the Reset Master Password alert and you decide you want to change your password rather than resetting it, click Cancel to return to the Master Passwords preferences panel, then click Change Password. For details, see Change Master Password.

Resetting your master password is a last resort that you should use only if you are absolutely sure you've forgotten it. The seriousness of the situation depends on how much personal data your forgotten master password protects.

Resetting your master password does not create a new password. Instead, it removes all the data your old master password protects. You will be asked to specify a new master password the next time the browser needs to store personal information.

After you reset your master password, you may also want to re-save personal information that you want to have prefilled in the future. For example, as you browse you may want Password Manager to save website and email passwords again.

You will also need to enter data by hand until Form Manager accumulates enough data to fill in forms automatically. In addition, any personal certificates associated with the software security device will be permanently erased and you will need to apply for new ones.

Note for smart card users: Each smart card has its own master password. The master password for a smart card protects only the data on that smart card (such as personal certificates). You can normally change the master password for a smart card (assuming that you remember it), but you cannot reset it.

Choosing a Good Password

Choosing a good password will help in keeping your personal information safe and private. To improve the security of your password, follow some or all of these suggestions:

• Special and punctuation characters (*!$+) mixed with letters and numbers.
• Mixed upper and lower-case letters—putting capitals in random locations throughout a password is effective.
• Nonsense words that aren't found in dictionaries but are easy to pronounce.
• Eight or more characters.

You should avoid personal information that could be guessed. So the following common items should be avoided:

• Personal or family names, your initials or birthdays.
• Your social security number.
• Names of pets or famous places.
• Phone numbers or addresses.
• Words from any kind of dictionary.
• Your username, login name or computer's name.
• Repetition of the same letter or symbol.
• Sequences of keyboard keys, such as 12345 or qwerty.
• Any minor modification of the above, such as appending a character to the end of your name or spelling backwards.

A good way to choose a secure but easily remembered password is to use the first character of each word in a phrase. For instance, StNh*nbsS stands for Surfing the Net has never been so Suite; the asterisk in the middle is included for increased security. (Don't use this password!)

To further protect your personal data, you are advised to follow these simple rules:

• Never give the password out to anyone.
• If someone has learnt your password, change it immediately.
• Every few months, change your password.
• Choose a password you can remember so you don't have to write it down.
• Avoid letting people observe you typing your password.

Copyright © 2003-2010 The Mozilla Foundation.