You make a good point that requiring users to abandon a master password in order to use the sync service is counter to good security practices.
I would encourage Mozilla to not only allow master passwords with sync but also require master passwords in the first place. An unsecured password repository is a gold mine of data for malware and those who sell and buy that information. (This is especially true if it contains email accounts and passwords.) Is there an existing plan to change this behavior? Is additional security policy work needed in order to make this happen? Original Message From: [email protected] Sent: Sunday, May 18, 2014 6:44 PM To: [email protected] Subject: Password Sync Policy In New system There is a policy in new sync, where Passwords sync is disabled when Master password is set. I think this policy should be changed as many new Trojans specifically targeting browser based stored passwords. When master password is set, Passwords cannot be accessed. Private key(master password) lies with the user is a better way out. In my view of solution, As when sync should be needed, a prompt can be asked the master password in order to sync password as most probably in old sync Operation and user always have control what to syn or not. _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy _______________________________________________ dev-security-policy mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security-policy
