Security

Using Secure Login together with Firefox Password Manager can protect your passwords from Phishing and Cross-site scripting (XSS) attacks.

Why using a Password Manager increases the security of your passwords

Manually typing usernames and passwords into login fields has several drawbacks:

• It is inconvenient and time consuming.
• Due to the inconvenience users are tempted to use short, insecure passwords.
• With an increasing number of websites requiring registration users are tempted to use always the same password, making it easier for attackers.
• Remembering all of your passwords can be quite difficult.
• You have to make sure nobody watches over your shoulder when you enter passwords.
• You might enter your passwords on websites which look like your banking sites but aren't (see Phishing).

Using a Password Manager solves all those problems:

• You don't have to enter username and password manually.
• You can use long and cryptic passwords without having to remember them all.
• You can use a different long and cryptic password for every website requiring registration.
• You only have to remember one master password (or no password at all).
• Nobody can read your passwords from looking over your should if you don't type them in.
• A good password manager won't fill in your passwords if you didn't save it for that website.

Knowing these facts you will agree that a Password Manager is a good idea to increase password security.
Note that to secure your saved passwords in Firefox Password Manager it is recommended to set a Master Password.

Why do you need Secure Login if Firefox already has a built-in Password Manager?

Secure Login has been developed for two reasons:

• To make the login process even more convenient.
• To increase the security of your saved passwords even more.

Firefox Password Manager fills out saved usernames and passwords automatically as soon as you visit the login page. Although you don't have to type in your login data manually, you still have to locate the login form on the page and click on the submit button.
If you have multiple username+password combinations saved for a login page, Firefox Password Manager can't fill out the form automatically. You have to click twice on the username field (or start typing the first character of one of the saved usernames) and select the desired username to fill it in. And you still have to click on the submit button to submit the form.

Improved user experience

With Secure Login the login process is much more convenient:
If you have only one username+password combination saved, just click on the Secure Login toolbar button or perform the Secure Login keyboard shortcut and you will be logged in automatically.
For multiple logins, you just need one click more to select the desired username.
Have a look at the Secure Login Usage description.
You can even login directly from your bookmarks using the Secure Login Bookmarks.

Improved security

With Secure Login installed, your passwords will only be filled into the login fields when you really want to login.
This follows the rule to not disclose any confident information without user interaction.

On installation Secure Login automatically sets a configuration option (editable via about:config) of Firefox Password Manager to false:

• signon.autofillForms on Firefox 3 and later.
• signon.prefillForms on Firefox 1.5 and Firefox 2.

Disabling this option disables prefilling the login credentials into the login form on page load and thus prevents malicious JavaScript inserted on the login page from automatically stealing your login data, which could happen just by visiting a manipulated login page (e.g. through Cross-site scripting (XSS) attacks - see also Firefox Bug #360493).

Malicious JavaScript inserted on a login page could still read your login data as soon as you login with Secure Login (and Javascript Protection disabled), but not just by visiting the page.
Enabling the Javascript Protection will prevent any Cross-site scripting (XSS) attacks on your passwords, as your login data will never be inserted into any form fields. See Javascript Protection on how this is done.

Does using Secure Login protect my passwords from a Keylogger, a Trojan horse or a Virus?

No. Although Secure Login prevents Keyloggers from reading your passwords (as you don't need to type them in) all your data (including your passwords) is not safe any more as soon as malicious software is running on your system.

Law #1 of the 10 Immutable Laws of Security:

If a bad guy can persuade you to run his program on your computer, it's not your computer anymore.1

How to create secure passwords?

To create a secure password you only have to follow seven simple rules:

• Password length > 20 characters (or at least length > 10)
• Password contains numbers
• Password contains lower case letters
• Password contains upper case letters
• Password contains symbols (best are characters not available on your keyboard)
• Password does not (only) contain words which can be found in a dictionary
• Password does not (only) contain words with a relation to you (e.g. the name of your pet)

To crack a password an attacker basically has to try out every possible combination. The more different characters you use the more different combinations are possible, making it more difficult for an attacker to crack the password in a given time.
See also http://en.wikipedia.org/wiki/Password_strength

You should not use passwords which can be found in a dictionary - attackers use dictionaries to crack common passwords, which is much faster than cracking passwords by brute force.

Of course complex passwords are hard to remember. But if you use a Password Manager you only have to remember one Master Password.

A simple rule to create a long and cryptic but easy to remember password is to take a bunch of words (best some gibberish which only makes sense to you) in mixed upper and lower case and to concatenate them with numbers and symbols.