Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Mozilla Firefox Privacy Security IT Technology

Mozilla Rolls Out Recovery Key Option For Firefox Accounts (zdnet.com) 36

Mozilla announced today a new recovery option for Firefox Accounts, the user system included inside the Firefox browser. ZDNet: Starting today, users can generate a one-time recover key that will be associated with their account, and which they can use to regain access to Firefox data if they ever forget their passwords. Firefox Accounts is included with all recent versions of the Firefox browser.

Most users are familiar with it because of Firefox Sync, the system that synchronizes Firefox data such as passwords, browsing history, open tabs, bookmarks, installed add-ons, and general browser options between multiple Firefox instances. But while Sync does the actual synchronization, Firefox Accounts is at the core of Sync and is the system that manages the identities of Firefox users. Sync works by taking a user's Firefox account password and encrypting the user's browser data on the local computer.

This discussion has been archived. No new comments can be posted.

Mozilla Rolls Out Recovery Key Option For Firefox Accounts

Comments Filter:
  • they had this option 10 years ago where you got a hash that you used to verify that it's you.... along with your username+password.
    The only option they don't give you is to pull your data out of their system.
    They have introduced so many changes to that goddamn sync system that it is incompatible with every ff derivative.

  • by Anonymous Coward
    Do you use Firefox Sync? Just curious how popular it is. I don't (nor do I ever "log into" Chrome) but maybe that's just 'cuz I'm old.
    • Because you're too goddam lazy [statcounter.com] to click next door.

      Browser Market Share Worldwide - August 2018
      Chrome 59.67%
      Safari 14.51%
      UC Browser 6.28%
      Firefox 4.93%
      Opera 3.5%
      IE 3.03%

      • by Anonymous Coward

        I don't understand. What do browser share figures have to do with what features the users of each browser use? Are you saying that you choose your browser by sorting the list and taking the top one? If so, maybe I should ask: do you log into Chrome? My understanding is that that is a similar feature to Sync.

        Perhaps you think I was asking if Firefox is popular. I was actually asking about Firefox Sync feature that's part of Firefox. I don't use it and I'm wondering if other people do, and if so, what they t

        • I use it. I have it sync bookmarks, history, open tabs, and addons between my desktop, laptop, and phone. By using sync, I can use the "Send to Device" feature to push URLs directly to my phone. And send them from my phone to my PC. I can also look at what tabs I have opened on my desktop from my phone browser in case I want to continue something on my phone.

          • And BONUS!

            Your embarrassing and potentially job-losing shit shows up on your BYOD or work desktop and on the firewall logs.

            Management sent some people home for just that reason.

            • Haha, yeah, don't use Firefox or Chrome sync on work devices. I use an entirely separate laptop and phone for work and don't link up any personal accounts to them.

              • I'm with ya.

                Back when I was young and foolish, I used Chrome.

                I logged in to Gmail at work to get an attachment I had sent myself.

                Of course, I logged in to YouTube, Google+, and every other goddam property Google owns and my desktop Chrome synced up bookmarks and shit.

                What a mess. I used a tree branch tied to a horse to cover my tracks and I got strange looks that morning.

    • I use it pretty heavily. I have a lot of computers - home desktop, work desktop, laptop, tablet, phone, that one with all the MIDI stuff. Sync lets me move between them fairly seamlessly.

      Sync lets me see what tabs I have open on each machine. I saw this comment this morning on my tablet, didn't feel like finding my keyboard cover to type out a reply, so I left the tab open. I grabbed that tab from my work desktop, which is where I'm typing this now.

      I can even send a tab to another computer. I use that a lot

  • Synch? (Score:5, Insightful)

    by Zorro ( 15797 ) on Wednesday September 26, 2018 @04:55PM (#57381402)

    Why would I DO that?

    Every device has a different identity.

    Diffrent emails and different accounts for every resource.

    That way one confiscated or stolen device can only compromise those accounts.

    Then I can brick it remotely.

    • Re:Synch? (Score:4, Insightful)

      by ls671 ( 1122017 ) on Wednesday September 26, 2018 @06:08PM (#57381664) Homepage

      Indeed, indeed, I don't use sync.

      Basically screw the cloud for my sensitive data!

      More details:
      I don't even use the save password feature and I read my emails in pine. So, I will never ever need a recovery key for firefox. I have a proper backup strategy for everything including firefox configs and bookmarks. Backups are made on an encrypted partition on a remote data center on a server which I control fully and which nobody else can access since I wiped the disks and installed my own OS and I check for reboots and physical tampering with the intrusion sensor which tells you in the case is ever opened.

      Also the remote backup server logs to a computer in my house in real time through a vpn to make sure I have a log copy what ever happens
      example from syslog.conf:
      authpriv.* -/var/log/secure
      authpriv.* @10.256.222.53 // this is my home server

      So the remote backup server logs locally on its disk and to my home server in real time.

      sensors output example, see "intrusion" on last line

      2,17,32,47 /usr/bin/sensors | /usr/bin/logger
      Adapter: ISA adapter
      Core 0: 48.0C (high = 82.0C, crit = 100.0C)
      Core 1: 50.0C (high = 82.0C, crit = 100.0C)
      Core 2: 48.0C (high = 82.0C, crit = 100.0C)
      Core 3: 47.0C (high = 82.0C, crit = 100.0C)

      w83627dhg-isa-0290
      Adapter: ISA adapter
      Vcore: 1.29 V (min = 0.92 V, max = 1.48 V)
      in1: 0.76 V (min = 0.67 V, max = 0.83 V)
      AVCC: 3.23V (min = 2.96 V, max = 3.63 V)
      +3.3V: 3.23V (min = 3.46 V, max = 0.91 V)
      in4: 1.84V (min = 1.36 V, max = 2.04 V)
      in5: 1.26V (min = 1.13 V, max = 1.38 V)
      in6: 1.45V (min = 1.42 V, max = 1.52 V)
      3VSB: 3.23V (min = 2.96 V, max = 3.63 V)
      Vbat: 3.23V (min = 2.96 V, max = 3.63 V)
      fan1: 2909RPM (min = 712 RPM, div = 8)
      fan2: 3375RPM (min = 712 RPM, div = 8)
      fan3: 0RPM (min = 753 RPM, div = 128)
      fan4: 0RPM (min = 753 RPM, div = 128)
      fan5: 0RPM (min = 753 RPM, div = 128)
      temp1: 50.0C (high = 75.0C, hyst = 70.0C) sensor = thermistor
      temp2: 54.0C (high = 87.0C, hyst = 82.0C) sensor = CPU diode
      temp3: 54.0C (high = 87.0C, hyst = 82.0C) sensor = CPU diode
      intrusion0: OK

      • I control fully and which nobody else can access since I wiped the disks and installed my own OS, but left the Management Engine firmware intact and always running, with full access to system RAM and accessible via the network connection before it hits the system firewall.

        physical tampering with the intrusion sensor which tells you if the case switch is opened

        ftfy.

        What, with a 1.3Vcore it's probably an Intel Core2 Quad or something of that era?

        • by ls671 ( 1122017 )

          Yeah! Good point!

          You seem to know much more than I do so I have questions for you:

          1) What is the layer of this management protocol? I mean IP or ether? What if you have a fiber adapter?

          2) I assumed it wasn't IP but some lower level protocol and that it couldn't be possibly reached in any case through the Internet. Am I right?

          3) If I ever was right in question 2; how close do you need to be from the server to attack it? For example, I understand that anything using a hub wouldn't be an obstacle but would a s

          • You shouldn't take advice from random people on slashdot.
            You're bound to get trolled.

            • by ls671 ( 1122017 )

              Who says I do?

            • by ls671 ( 1122017 )

              Hey man, my questions were serious. Do you have time to review them for myself and the community? I don't mean for you to do any research, just answer them to the best of your knowledge if you can.

              I enjoy taking advice from many sources but in the end, I should have replied "I do, but who says I necessarily apply that advice".

              Thanks in advance!

              • Non-Intel network adapters should be fine, but I'm not a security researcher so don't take my advice.
                A hub or switch don't stop it, as it's TCP/IP. You could configure your router to block it, but that won't stop anything on the same subnet.

                Apparently it can even cause problems by intercepting legitimate packets if your OS chooses one of the AMT ports as the source port. It's not in the ephemeral port range though, so it shouldn't conflict.

        • by ls671 ( 1122017 )

          Sorry, I forgot to mention that when I wrote the following:

          You seem to know much more than I do so I have questions for you:

          it was linked to you writing:

          What, with a 1.3Vcore it's probably an Intel Core2 Quad or something of that era?

          I really enjoyed reading your sentence!

          Cheers!

      • by _merlin ( 160982 )

        You really shouldn't be using pine if you care about security. It's notorious for being coded in an insecure way, and it's going to be trivial to find exploits with basic data fuzzing. You're better off with mutt or something - pine is one of the packages you blacklist in environments where security matters.

    • I use different web browsers to access my different online accounts. Sometimes I use a different computer.

      Monocultures are stupid.

  • Firefox Sync's master key has been protected by SHA1 with 1 iteration for almost 10 years now. If you lose your password, you can probably just brute force it in only a couple minutes.

  • by Anonymous Coward

    You get a password to give if you ever forget your password.

You know you've landed gear-up when it takes full power to taxi.

Working...