@kaidenshi @KF0UNK It's been ages since I looked at Firefox's password storage and that was before they moved to a multi-process architecture. Back then, a JavaScript sandbox escape could leak all passwords. From a quick skim of their docs, they encrypt the passwords on disk. It looks as if protecting the key that they're encrypted with from an attacker with local filesystem access requires you to set a primary password (which is presumably hashed and fed to a KDF to generate the keys), but that key will be in memory for at least one process.