There are a bunch of open questions about how we should do this. Listing them here as a starting point. How easy/hard should it be for a user to view the passwords saved in the password manager? What should they be encrypted with locally? (Firefox Accounts password if it exists. If not, use Master Password. If no Master Password, do we use the password used to login to the user account on the operating system?) Are the passwords recoverable if the user forgets their password? Are the passwords accessible to someone who steals the user's computer? Are the password accessible to someone who has access to the computer? Is the situation the same for desktop and mobile? If someone copies the user's Firefox profile, will they be able to retrieve all the user's passwords? What encryption algorithm is used today (with the master password)? Is it strong enough, or should we replace it with something else?

(In reply to Tanvi Vyas [:tanvi] from comment #0) > What encryption algorithm is used today (with the master password)? Is it > strong enough, or should we replace it with something else? AFAIK it's plain Triple-DES right now, no salt or anything, so way too weak. There are bugs around on that with a lot of discussion. From what I heard from experts, right now, if you get the passwords file in encrypted format with a master password, it's a matter of seconds to minutes until you have broken and decrypted it. > What should they be encrypted with locally? (Firefox Accounts password if > it exists. If not, use Master Password. If no Master Password, do we use > the password used to login to the user account on the operating system?) Preferably, I think it should be something that doesn't need prompting on every usage, i.e. just like the current default. If it's your computer and nobody else has access, it's tedious to re-enter a password all the time. The option should be there to request on every access, for computers that other people might have access to. I know of people who only set a Master Password right now because then you need to enter it before displaying the passwords in password manager (so someone else can't just get them displayed in plain text by solely clicking around in default Firefox UI). That usecase should be carried over in the future - but with more security at lower levels as well while preserving convenient and easy use where other people do not have access.

This may be a dupe of bug 973759, or at least I assume the reason that bug depends on rather than dupes to bug 524403 is to address some of these larger-than-just-the-encryption issues.

Yeah, there are different use cases here: presumably everyone wants perfectly impenetrable storage with no tradeoffs (heh), then beyond that there are people who would accept a less smooth experience for "moar security", and then there are folks who basically want a PIN to *prevent* seamless access to passwords. Using a Firefox Account password directly seems like a collection of thorny challenges: what if you change or reset your password on another device? If we use kA, what happens if you don't have network access or the account server is down? How would we solve the chicken-and-egg problem of securely storing your FxA credentials themselves? What about those users who explicitly want to use a MP to reduce the chance of third-party attacks? (kA is recoverable from the server.)