2

Alright, so a huge security flaw is that Firefox saves passwords in plain text. How can we disallow saving of passwords in Firefox the quickest way.

Is it possible by Group Policy or anything like that?

Of course a trouble will be that the user easily can change browser.

But would be nice to not allow it for Firefox at least.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
rkl
  • 55
  • 1
  • 1
  • 5
  • I don't believe passwords are saved in clear txt fyi. Weak and unlocked with a single password (or blank password), but not in clear txt. – MathewC Dec 01 '11 at 13:45
  • 2
    Firefox is notorious for not natively supporting GPO. There have been a number of 3rd party attempts (ie firefoxadm) to fix this but most have long been abandoned. If you really need GPO control either stick with IE or Chrome that does offer GPO support – thanosk Dec 01 '11 at 15:14
  • AFAIK, FF doesn't save passwords in plaintext. Do you have a reference to this? Even if it doesn't, I can still understand why you might want to disable password saving. – MDMarra Dec 01 '11 at 15:15
  • @MarkM: I disable password saving functionality frequently because I'd rather users were using real "password wallet" software (like Password Safe, KeePass, etc) instead of relying on a feature in the browser that may not be as secure as a purpose-built alternative. I also want a clear password wallet app to support so I don't run into situations where upgrades to the browser (or, in the case of IE, changes to the user's profile / registry) cause passwords to be lost. – Evan Anderson Dec 01 '11 at 15:20
  • @EvanAnderson I agree. I was just asking for a reference to the plain-text password assertion that the OP made. I can still understand why someone would want to disable it even if it isn't plaintext. I believe that firefox stores the passwords in a SQLite database, so upgrades *shouldn't* clobber it. But, as always, better safe than sorry. – MDMarra Dec 01 '11 at 15:33
  • Honestly... it's probably not stored in plain text, but if it takes the user about 3 clicks to see the passwords in plain text without entering any password on the computer... that's pretty insecure... – rkl Dec 01 '11 at 16:08

3 Answers3

6

Firefox has no native GPO support. You can use a mozilla.cfg file that you push out with Group Policy File Preferences that contains lockPref("signon.rememberSignons",false); in it. This will disable the password remember features. You'll also have to push out a few other changes to make Firefox load the mozilla.cfg file. It's all detailed in that link.

Alternatively, Frontmotion makes a pay-for version of Firefox that has GPO support. The problem is that it uses a different icon since it's not a vanilla Firefox distro. This confuses most end users.

MDMarra
  • 100,734
  • 32
  • 197
  • 329
  • Yeah there are lots of 3rd party ADM files etc. I tried some, but they were keeping up with the latest version of Firefox and additional options that were being introduced. I found the easiest way was to write custom config files and have them pulled down to the users profile folder at logon via a GPO script (although this isn't foolproof as users can change the file once logged on, but it will be reset again at next logon, so they generally didn't). – jwbensley Dec 04 '11 at 16:36
  • The GPO Script approach seems like a good option! – rkl Dec 06 '11 at 12:40
0

here's a quick batch script to take care of this issue in about 0.2 seconds, you could then deploy it in their login scripts if you see fit. please note that if something has already been configured using preference locking in firefox this will overwrite it.

set loc=no
if exist "C:\Program Files\Mozilla Firefox" set loc=c:\Program Files\Mozilla Firefox
if exist "C:\Program Files (x86)\Mozilla Firefox" set loc=c:\Program Files (x86)\Mozilla Firefox
if "%loc%"=="no" goto done

ECHO pref("general.config.obscure_value", 0); > "%loc%\defaults\pref\local-settings.js"
ECHO pref("general.config.filename", "mozilla.cfg"); >> "%loc%\defaults\pref\local-settings.js"

ECHO // > "%loc%\mozilla.cfg"
ECHO lockPref("signon.rememberSignons",false); >> "%loc%\mozilla.cfg"

:done
pause
AniraPixel
  • 1
0

Alternatively, there is up-to-date free project providing a group policy support module for Firefox and Thunderbird.

Slipeer
  • 3,295
  • 2
  • 21
  • 33