Foxmarks: Password Sync

From Foxmarks Wiki

Password Synchronization is an optional feature that allows you to securely synchronize your saved passwords between your computers. With this feature, you can save your passwords at work and have them automatically available on your computer when you get home!

This feature is compatible with bookmark synchronization so you can keep both your passwords and bookmarks synchronized at the same time. Password Synchronization only works in Firefox 3.

Contents 1 How to Get Started 2 How it Works 2.1 Encryption and Security 3 Frequently Asked Questions 3.1 Can I choose which passwords are synchronized to which computers? (Does it support Sync Profiles)? 3.2 Where is my PIN stored? 3.3 Why do I need to enter a PIN to setup Sync Profiles for my passwords? How is this secure?

How to Get Started

There are two ways for you to enable password synchronization:

1. If you already have Foxmarks installed:
   1. Open the Foxmarks Settings dialog (located in Tools > Foxmarks > Settings...).
   2. Click on the "Sync" tab.
   3. Select the checkbox labeled "Passwords". You will be guided through a quick and easy password synchronization setup flow.
2. If you're installing Foxmarks for the first time:
   1. The setup wizard will ask you whether you wish to synchronize your passwords as part of the installation and setup process.
   2. Simply choose "yes" and you will be guided through a quick and easy password synchronization setup flow.

Don't forget to enable Password Synchronization on all the computers on which passwords should be kept in sync.

How it Works

Password Synchronization works silently in the background to make sure that your passwords are the same on all your computers. If you add, remove or update a password on one computer, Foxmarks will make sure that your change will automatically be made on all your other computers as well. It works in a similar manner to bookmark synchronization with two major differences:

1. Password Synchronization is completely optional and is turned off by default. Foxmarks will ignore your passwords until you decide to synchronize them.
2. Password Sycnhronization encrypts your passwords using a secret PIN of your choosing before they ever leave your computer. This ensures that nobody but you, not even Foxmarks, can gain access to your passwords. You can learn more about encrption and security below.

The diagram below illustrates in greater detail how Password Synchronization works.

Encryption and Security

To encrypt your passwords, Foxmarks uses the current state of the art AES 256-bit encryption algorithm. AES is a United States government standard and is recommended by National Security Adminstration (NSA) for encrypting classified information. See the AES Wikipedia entry for more details.

AES works by taking data that needs to be encrypted along with a secret PIN of your choosing, and then produces an encrypted result. It is strong enough to virtually guarantee that your encrypted data cannot be decrypted by a third-party, not even Foxmarks. The biggest point of weakness is in the strength of the secret PIN that you choose. Foxmarks recommends that you choose a PIN that is difficult to guess and contains a wide variety of different characters and numbers.

Frequently Asked Questions

Can I choose which passwords are synchronized to which computers? (Does it support Sync Profiles)?

Yes, password synchronization works with Sync Profiles. To select which passwords get assigned to which profiles, click on the "Sync Profiles" button in My Foxmarks, and then select "Passwords" in the drop-down.

Where is my PIN stored?

Your PIN is stored on your computer in the same place where Firefox stores all your other passwords. Your PIN is never synchronized with your other computers and Foxmarks will never cause it to leave your computer. Only you and your computer ever have knowledge of the PIN, Foxmarks does not and so we cannot use it to access your passwords.

Why do I need to enter a PIN to setup Sync Profiles for my passwords? How is this secure?

To show you the websites for which you have saved passwords, we first need to decrypt your passwords using the same PIN that we used to encrypt them. This PIN will not be saved on disk or in memory and it will not be sent over the network. Decryption will be performed locally on this computer and will not be cached.

Additionally, only information about the website (domain and realm) and username will be presented here. Your actual passwords will not be made available for viewing, and they will not be stored on disk or in memory. All encrypted information relating to passwords will be flushed from memory when the Sync Profiles dialog window is closed.