Privacy & Security Preferences - Web Passwords
This section describes how to use the Web Passwords panel. If you are not already viewing the panel, follow these steps:
- Open the Edit menu and choose Preferences.
- Under the Privacy & Security category, choose Web Passwords. (If no subcategories are visible, double-click the category to expand the list.)
Password Manager
Password Manager stores your user names and passwords on your computer's hard disk and enters them for you automatically when you visit the sites that require them. For detailed information about using Password Manager, including how to override it for individual sites and how to view and manage stored passwords, see Using the Password Manager
To activate Password Manager so that it automatically stores your user names and passwords and enters them for you as necessary, select the checkbox in the Web Passwords panel labeled "Remember passwords for sites that require me to log in."
To turn off Password Manager, deselect the same checkbox.
Encrypting Versus Obscuring
If you use Password Manager or Form Manager to save passwords and personal data, then this sensitive information is stored on your computer in a file that's difficult, but not impossible, for an intruder to read. This way of storing information is sometimes described as "obscuring."
For improved protection, you may want to protect the file with encryption. Encryption makes it nearly impossible for an unauthorized person to view your stored sensitive information.
To turn on encryption for sensitive information stored on your computer, select the checkbox in the Web Passwords panel labeled "Use encryption when storing sensitive data." If you have not previously set a master password, you will be asked to create one. To do so, follow the instructions as they appear on your screen. For an overview of the steps involved, see Encrypting Stored Sensitive Information.
To turn off encryption for sensitive information, so that it is obscured but not encrypted, deselect the checkbox.
[ Return to beginning of Web Passwords section ]
Privacy & Security Preferences - Master Passwords
This section describes how to use the Master Passwords panel. If you are not already viewing the panel, follow these steps:
- Open the Edit menu and choose Preferences.
- Under the Privacy & Security category, choose Master Passwords. (If no subcategories are visible, double-click the category to expand the list.)
In this section: |
Change Master Password
A master password protects a security device, which is a software or hardware device that stores sensitive information associated with your identity, such as keys or certificates. For example, the browser has a built-in Software Security Device, and you can also use external security devices, such as smart cards, if your computer is configured to use them.
The master password for the browser's built-in Software Security Device protects your master key. Your master key is used to encrypt sensitive information such as email passwords, web site passwords, and other data stored by the Password Manager and Form Manager.
To set or change any of your master passwords, click the Change Password button in the Master Passwords preferences panel (or open the Tasks menu, then choose Privacy & Security, Password Manager, and Change Master Password).
You can then use the Set Master Password dialog box to provide the following information:
Security Device: Each security device requires a separate master password. For example, if you are using one or more smart cards to store some of your certificates, you should set a separate master password for each one. If more than one security device is available, a pop-up menu at the top of the Set Master Password dialog box allows you to choose the device whose password you want to change.
Old password: If you are changing an existing master password, you must first type the old password. If you don't type the old password correctly, you will see the message "Incorrect password entered" after you click OK. If this happens, your password has not been changed and you must start all over again.
New password: Type your new password into this field.
New password (again): Type your new password again. If you don't type it the second time exactly as you did the first time, the OK button remains inactive. If this happens, try typing the new password again.
If someone uses your computer who knows or can guess your master password, that person may be able to access web sites while pretending to be you. This can be dangerousfor example, if you manage your financial accounts over the Internet.
Therefore, it's important to select a master password that's difficult to guess. The password quality meter gives you a rough idea of the quality of your password as you type it based on factors such as length and the use of uppercase letters, lowercase letters, numbers, and symbols. For further guidelines, see the online document Choosing a Good Password.
It's also important to record your master password in a safe placeand not anywhere that's easily accessible to someone else. If you forget this password, you may not be able to access important information, such as web sites that require passwords or certificates stored on your computer.
[ Return to beginning of Master Passwords section ]
Master Password Timeout
If you are using the Password Manager but are not using certificates, and if you have set a master password, the browser will ask you to enter the password only when the newly launched browser first uses the Password Manager or Form Manager to fill in personal information.
If you are using personal certificates, you can control how often the browser requests your master password. Here are some things you should consider when selecting these options:
- The first time it is needed. If you work in an office with strong physical security measures or if you feel that the consequences of somebody else using your computer to impersonate you are not extreme, click this radio button. This setting causes Certificate Manager to request your master password only the first time it needs access to the private key database after launching. Certificate Manager will not request the master password again until after you exit and relaunch the browser. This setting provides the lowest level of protection.
- Every time it is needed. If you are very concerned about the possibility that somebody else might be able to use your computer to impersonate you, click this radio button. This setting ensures that Certificate Manager will never access the private key database without first requesting your master password. This setting provides the highest level of protection.
- If it has not been used for blank minutes or longer. If you are somewhat concerned about the possibility that somebody else might be able to use your computer to impersonate you, but not enough to type in your master password at frequent intervals, click this radio button and fill in the box with a value you feel comfortable with. For best protection, this should be a fairly low number of minutes, such as 20.
This setting causes Certificate Manager to request your master password if it needs to access the private key database and the specified interval has elapsed since the last time it used the database. This setting is appropriate if you sometimes send or receive confidential information to or from web sites that support encryption.
Note that this setting provides little protection against someone using your computer to send a signed email message in your name.
[ Return to beginning of Master Passwords section ]
Reset Master Password
Warning: If you reset your master password, you will permanently erase all the web passwords, email passwords, and form data saved on your behalf by Password Manager and Form Manager. You will also lose all your personal certificates associated with the software security device.
If you remember your master password and decide to change it, you can do so without danger of losing any personal information. If you are viewing the Reset Master Password alert and you decide you want to change your password rather than resetting it, click Cancel to return to the Master Passwords preferences panel, then click Change Password. For details, see Change Master Password.
Note that you must remember your old master password to change it with the Change Password button. Resetting your master password is a last resort that you should use only if you are absolutely sure you've forgotten it.
The seriousness of the situation depends on how much personal data your forgotten master password protects. To find out, follow these instructions before resetting your master password:
- To view stored Password Manager data, see Managing Stored Passwords.
- To view stored Form Manager data, see Saving Information from Forms.
- To view your personal certificates, open Certificate Manager and look at the certificates listed under Your Certificates. Those with "Software Security Device" in the Security Device column will be lost after you reset your master password. For more information, see Managing Certificates.
Resetting your master password does not create a new password. Instead, it removes all the data your old master password protects. You will be asked to specify a new master password the next time Certificate Manager needs to store personal information.
After you reset your master password, you must also re-enter all the web site and email passwords that Password Manager may have stored on your behalf, and you must enter form data by hand until Form Manager accumulates enough data to fill in forms automatically. In addition, any personal certificates associated with the software security device will be permanently erased and you will need to apply for new ones.
Note for smart card users: Each smart card has its own master password. The master password for a smart card protects only the data on that smart card (such as personal certificates). You can normally change the master password for a smart card (assuming that you remember it), but you cannot reset it.
[ Return to beginning of Master Passwords section ]
9/12/2001
Copyright © 1994-2001 Netscape Communications Corporation.