Robert Kaiser wrote: > John schrieb: >> I think there ought to be a way to get rid of the Master Password >> without losing all the stored passwords. > > From what I was told, there is, and all it requires is to set a new > master password which happens to be empty. That equals deleting the > master password without "resetting" it - the difference being that you > need to know the old master password to set it to empty (but all > passwords should be kept) but you don't need to know the old password > for resetting (and all your passwords will be deleted). > > I've never tried it myself (never use a master password), but I seem to > recall people telling that. > > Robert Kaiser
Wow that, and your other comment in this thread: > Rufus schrieb: >> > Hartmut Figge wrote: >>> >> Rufus: >>> >> But you need the old master password to accomplish that. ;) >> > >> > Which can also be easily hacked > If it can easily be hacked anyway, there's no reason in having one in > the first place :P > > Robert Kaiser is a pretty broadbrush stroke dis'ing SeaMonkey/Mozilla/Thunderbird/Firefox master password security. I wonder if Neil would agree that NSS PKCS and/or FIPS can "easily be hacked anyway"... However, let's assume that it can, but point out that using a Master Password is at least a 'reasonable' thing to do. Example: user doesn't use a Master Password and gets his/her laptop stolen. The thief may not even bother to boot the machine, but let's say thay it does in order to snoop around and find sensitive data on the laptop. Fires up SeaMonkey, clicks on Tools|Password Manager & from there (without a Master Password) can easily see all passwords that the user has stored in SeaMonkey/Thunderbird/Firefox. However, if a Master Password *is* used, the thief then needs to use some cracking utility to try and break the NSS PKCS or FIPS encryption[1]. Of course the thief may be able to read/send emails from the user's email account, but certainly the thief will have a harder time trying to guess the passwords etc. So, yes (IMO) the Master Password does indeed have a value, and should be set on *any* mozilla application that offers the option. [1] <http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html> <http://csrc.nist.gov/publications/fips/fips1401.htm> <http://en.wikipedia.org/wiki/PKCS> <http://www.mozilla.org/projects/security/pki/nss/> <https://developer.mozilla.org/en/NSS> _______________________________________________ support-seamonkey mailing list [email protected] https://lists.mozilla.org/listinfo/support-seamonkey
