Firefox and Website Password Management

For a long time, most people have known that if they forget a password for a site, they can always choose an "email me my password" option. This is arguably better than the "real world single sign-on" solution of using the same password everywhere. But, it often leaves a trail of in-the-clear passwords in your email.

Other options have included the password bookmarklet.

But, I suspect many Firefox users now use the "Do you want Firefox to remember this password?" feature. Here it is in use for logging into AA.com : (notice the top bar)



But did you know that if you use this feature, then when you view the site options for a site (by right-clicking anywhere on the site then choosing "View Info" from the context menu), then Firefox will show your saved usernames and passwords in the clear. This is shown below:



Bloggers such as Elliott at Carson Systems have pointed out that you can also get to the in-the-clear Firefox passwords through the Options/Preferences menu item. The solution, as has been pointed out, is to configure a master password in Firefox.

It is certainly a problem that users aren't even aware that the passwords are being stored in the clear locally by the browser, so that any passing person can view them with a couple of clicks of the mouse. Also, I doubt if users are aware of the implications of the different password management options which are represented on the American Airlines login screen above:

Option 1: Firefox "remember my password" will allow others to easily see your password, unless you set a master password. Few users will ever know to set this master password.
Option 2: Using AA's "remember my username" feature will a pointer to the username on your machine using a cookie (i.e. the actual username is not present in the cookie, it's a pointer to a username stored at AA.com). No password is stored locally.
Option 3: "Email me my password". This sends a temporary password to the email address associated with your username, and you must then choose a new password.

Do users know the security differences between the three options above? I suspect not, since usability is the key factor in the choice.

When Firebox pops up that bar (in the top image above) with the "Remember" button, it should also show a "Manage Passwords" option too.


[incidentally, AA.com is down now, which makes writing this post more difficult. They seem to be having some serious issues at the moment]