The difference here being hack one password (if the person even used the master password) get the rest. And I’m betting you don’t even need the whole folder, I grabbed it because I wanted my bookmarks, extensions, and settings, I got my passwords for free. Now the real question comes in is if you grab just the files with the login/password info (no idea which those are) and drop them in a new profile will they still be “protected” by the master password.
And understand, I’m posting this in FF I’m not spreading FUD or anything, just pointing out a feature (it really is convenient if you’re buying a new machine or similar stuff)/ hazard out there for people to be aware of. It’s a hazardous world, especially at the office where we don’t have sole access to “our” computers. People don’t think through the consequences of what they do on the internet these days, there was just a thread earlier this week about divorce lawyers trolling Facebook because people post statuses they don’t think through. Well here’s something else to think through, if your credit card info is in your Firefox at work you better hope your IT department are on the level.
If someone gets physical access to your computer, I still think you're pretty much hosed. This has become more of an issue as computing has gone from desktop to mobile computing, as people are more likely to accidentally leave a laptop or a smart phone somewhere.
On the Firefox password, permissions, etc., the remote risk to me seems to be that options like remote desktop expose your hard drive. I also am not sure how secure the Firefox profile areas are. They're obviously exposed to the browser, which interfaces with the web. Firefox provides this information to different web sites. With physical access, it's pretty easy to get these passwords without doing anything sophisticated. Just crank up the browser and use either the bookmarks or the browsing history to surf to the site, and bammo, Firefox provides the login and password. Google chrome is also very loose in remembering and supplying passwords. Don't know about IE, cause I never use it. While these functions can be changed in preferences, most people want it convenient.
I've lost track of the number of laptops lost by company and government employees. These laptops will have unencrypted databases with tons of personal information on them. Even if you keep your information secure, Mr. Social Security, your insurance agent, your retirement account administrator, or the state agency that maintains driver's license information has all this information aggregated. It's not just hacking your computer that's a risk. Also, many of the cc company identity thefts are inside jobs, and a lot of IT work is outsourced. I strongly suspect a lot of back doors have been built into secure programming code.
That's why I always recommend a really strong password for your master password. It's the same concept used in PGP/GPG, and keepass/passwordsafe for that matter. Since you're using one secret to protect many secrets, you should make that one secret appropriately strong.
And I’m betting you don’t even need the whole folder, I grabbed it because I wanted my bookmarks, extensions, and settings, I got my passwords for free. Now the real question comes in is if you grab just the files with the login/password info (no idea which those are) and drop them in a new profile will they still be “protected” by the master password.
You don't need the whole directory. There are 3 files associated with your password, the cert8.db, key3.db, and secmod.db files. I'm pretty sure that if you move them from one computer to another, you'll have your passwords. Of course that doesn't help you if you want bookmarks and other preferences. I actually consider the fact that all you need is the directory to transfer your FF environment to another to be a feature - one I've used before and will probably use again when migrating computers.
One thing I don't particularly like about FF is that since (I think) the 2.0 series, bookmarks are stored in a sqllite database. I always liked the fact that bookmarks.html was all you needed to move bookmarks from one computer to another. My bookmark file is over 10 years old (probably closer to 15). It has moved from one computer to another over the years. Fortunately FF still provides a way to export your bookmarks to a single file. I do this occasionally, because I use my bookmark file as my 'homepage' to speed up startup times.
People don’t think through the consequences of what they do on the internet these days, there was just a thread earlier this week about divorce lawyers trolling Facebook because people post statuses they don’t think through. Well here’s something else to think through, if your credit card info is in your Firefox at work you better hope your IT department are on the level.
Absolutely agree with that. I've been beating the crypro drum since PGP was nothing but a command-line DOS program. People don't understand how computers work, much less how to make them work well and securely. (which is why I said that I think master password use should be the default in a previous post). If educated people can be somewhat safer, but for a lot of people, finding things on their computer is incredibly confusing and difficult. They don't realise how easy it is for some of us. That's why I recommend programs like password safe and keepass. When I do, I always stress to make the passphrase meaningfully difficult to crack. You'd be amazed at how long a passphrase you can type in 2-3 seconds after you enter it enough times. :-)