Firefox Built-in Password Manager Review -


Our summary

Our Score

Some alternative options for you...
Our Score
per month
Our Score
per month
Our Score
per month

It is often said that the best tool is the one you have with you. Although nowhere as fully featured as either KeePass or commercial password manager software, the Firefox browser will remember passwords entered into web forms, and provides the option to encrypt them with a master password. These passwords can then by synced across devices using Firefox sync.

Visit Firefox »

A note on other browser password managers

Passwords not secured by a master password can in no way be considered safe, as anyone with access to your browser will be able to see them (this access need not be physical – a hacker can easily obtain unsecured passwords too). Google Chrome and Microsoft Internet Explorer do not protect passwords with a master password, making Firefox by far the most secure mainstream browser to integrate password management features.

In addition to this, Firefox is open source and does not pass personal information on to its parent company (as Chrome and IE do). Firefox is, therefore, our recommended browser generally, and can be made even more secure using our suggested add-ons and tweaks.

Pricing and Features

Firefox is developed by the non-profit Mozilla Foundation and is completely free (in every sense of the word as it is also open source).

As already noted, using Firefox to manage your browser means sacrificing features standard to stand-alone dedicated password manager programs.

Probably the most important of these is that Firefox does not generate strong passwords for you. This means that even if you make a big effort to think of new complex passwords for every website you visit, these are unlikely to be anywhere near as strong as ones generated by a computer program. After all, are you going to think up passwords such as ‘03qx@s5″E6CRE5MHn~=e’ all the time?

Another major issue is that the built-in Firefox manager only stores passwords entered into web forms in Firefox. It therefore cannot be used to store passwords for your other programs, or other information that you want kept secure (such as bank details.)

Aesthetics, usability and customer support

The Firefox password manager is simply a feature of Firefox, and shares a common interface with the browser (its limited settings are accessed through Options -> Security tab.)

Thanks to simplicity and native browser integration it is undoubtedly the easiest password manager to use. This is, however, something of a security risk, as it remembers passwords by default, but does not use a master password by default… if you plan to save sensitive passwords using this manager, you must TURN ON SAVED PASSWORDS!!!

Security and privacy

Assuming that a strong (and unique) master password has been set, local storage of passwords in Firefox should be secure, as they are encrypted using a 256-bit AES cipher (as utilized by the US government for sensitive data, and generally considered very secure).

The situation when using Firefox Sync is very different, however…

Until early 2014 Firefox Sync used a very robust system to secure users’ data. However, many found this very confusing to use, and it offered no way to recover or reset lost or forgotten passwords. Responding to users’ feedback, Mozilla moved to a more traditional cloud-based syncing solution based on the traditional username and password formula.

Importantly, although Firefox Sync passwords are encrypted locally (end-to-end), a key used to secure them is generated from the username and password, which is stored online by Mozilla. If a user loses or forgets their login details, this key can be used to reset their password.

While pretty secure (and very convenient), this does mean that Mozilla can in theory access users’ Firefox Sync accounts, including unsecured (no master password) passwords. And if Mozilla can do this, in theory, hackers can too. Technical details of this system can be found here.

This problem was compounded by the fact that early iterations of the new Firefox Sync feature did not sync passwords unless the master password was turned off! Mozilla reportedly fixed this problem since Firefox version 34, but we were unable to retrieve passwords on another device that were protected by a master password (we tested on two Android devices).

This is a major issue and effectively makes Firefox useless for securely syncing passwords across devices. For less secure passwords, the current system may be an acceptable compromise in return for the convenience of cross-device/platform syncing, but we do not recommend trusting your bank passwords to it!

Visit Firefox »

Using Firefox Password Manager

The beauty of using Firefox to manage your passwords is that operation is almost entirely transparent. The browser simply saves passwords when you enter them into web forms, and will-auto-complete them when you visit the web page again.

To make passwords secure, you must set a master password (and choose a strong one!)

Firefoxp 2

The limited management t options that are available can be found by going to Menu -> Security tab in Firefox. Here can prevent Firefox remembering the passwords for some websites (‘Exceptions), and view or delete Saved Passwords.

Firefoxp 1

And that’s about it!

Cross-platform compatibility

As noted, we strongly recommend not disabling the Master Password so that saved passwords can be synced across platforms.

If Mozilla fixes this problem, Firefox is available for Windows, OSX Mac, Linux, and Android (and an iOS preview has just been released). Firefox Sync should work across all platforms.


We liked

  • If you use Firefox (as you should), then you already have it!
  • Almost completely transparent in use
  • Strong encryption for passwords stored locally

We weren’t so sure about

  • Very basic password management
  • No strong password generator
  • Only works within Firefox browser

We hated

  • Firefox Sync does not appear to work with Master Password enabled, making cross-device/platform password syncing

If your password management needs are modest, and mainly revolve around accessing websites and services through your local browser, Firefox’s built-in password manager has much to recommend it as, it is very convenient and uses strong local encryption.

It is a shame that this healthy security is not carried through to the password syncing feature of Firefox Sync, which effectively makes Firefox useless (at best, dangerous at worst) as a platform for syncing passwords across devices, and which deeply undermines its utility.

Anyone, therefore, who has more advanced password needs, or needs to access their passwords on more than one device, should look elsewhere.

Visit Firefox »

Douglas Crawford

I am a freelance writer, technology enthusiast, and lover of life who enjoys spinning words and sharing knowledge for a living. You can now follow me on Twitter - @douglasjcrawf.

9 responses to “Firefox Built-in Password Manager Review

  1. I have Firefox 49.0.2 on a PC and the same version on an Android smartphone. Synching passwords with Masterpassword enabled works OK for me and has done for some time now.

    1. Hi Yeti42,

      Thanks for letting me know. As you can see, this article is more than a year old, and it seems things may have changed since I wrote it. When I have a moment I will re-look at Firefox’s password manager.

      1. Yeah it definitely works, although what I want to know is whether Firefox decrypts the saved passwords with the user’s master password before syncing them using their own encryption keys. Is it zero-knowledge?

        1. Hi Al,

          As noted, I have not looked into this for a while, and I am currently too snowed under with other work to do so now. That said, it is my understanding that:

          – “whether Firefox decrypts the saved passwords with the user’s master password before syncing them using their own encryption keys.” – No. Passwords are synced encrypted, and decrypted locally using your master password. The process is therefore end-to-end.
          – “Is it zero-knowledge?” Mozilla does not know your master password, but… The passwords are stored online, and a key used to secure them is generated from the username and master password. This key is also stored online by Mozilla. If a user loses or forgets their login details, this key can be used to reset their password. So not really…

  2. Great review, thanks.
    There still remains a question re default FireFox bookmark manager. If I have for example 4 email accounts all at Gmail, how will the default manager handle this?
    Many thanks

    1. Hi Dan,

      When you go to your Gmail account and start to type in your username, a list of stored usernames beginning with the letters you typed will appear as a drop down menu. Select the username for the account you wish to access, and Firefox should autofill the correct password.

  3. I have been using LastPass and Firefox (before that, Roboform).

    Because LastPass makes me enter a master password EVERY TIME I open a browser EVEN if I’m visiting NO sites where I care at all about encryption (sites requiring a password for whatever reason of their own (forums, etc.) but have no exposure to me as far as personal or financial information goes – I never enter profiles), it is a bit aggravating to use. This means that whenever I am on the internet my master password already been entered, LastPass is open to my encrypted passwords. You can set certain sites to require an additional password entry, but it is the SAME password, NOT a different, ADDITIONAL password. They have some other, complicated and troublesome (or expensive) options to further protect passwords. To me a simple entry of a second, different self-designed key would serve the purpose, but even better would allowing storage of some passwords without encryption, so that the encryption could be used ONLY when needed (and closed immediately) and you wouldn’t have to “open” LastPass with a key EVERY TIME you opened a browser, and then surf with it “open.” It would STARTUP “open” to UNencrypted passwords and you could enter the master password only on those sites where you WANTED encrypted passwords.

    SOooo, I ALSO use Firefox WITHOUT a master password for passwords I don’t care about (such as forums, etc.), and only use LastPass for passwords I want encrypted, so I can at least surf forums and such with ease and without complications or exposure of passwords I want encrypted. This does not, of course, solve the problem of LastPass staying “open” (unless I open and close it manually) every time I use it.

    Roboform allowed storage of BOTH encrypted and non-encrypted passwords. This is a great feature. However, Roboform sold me the software years ago, with the guarantee that it was “lifetime” and that I could update AND UPGRADE in perpetuity without additional cost. Later, they simply went back on their word. I just don’t do business with liars. My current system is easy enough, and maybe LastPass (or another manager) will pick up on this and add the ability to store encrypted AND UNencrypted passwords, requiring the master password ONLY on sites you WANT encrypted.

    1. Hi AnnaSummerS,

      Personally, I prefer to use the open source KeePass . With the Passlefox extension it is integrates brilliantly with Firefox.

Leave a Reply

Your email address will not be published. Required fields are marked *

Exclusive Offer
Get NordVPN for only
Get NordVPN for only