Scenario:
Someone stole your USB thumbdrive, which contain some sensitive data, including some passwords and/or session informations. The thief could then access some of your accounts you previously logged in.
Solution:
The default Firefox's behavior is insecure for a roaming profile like the one used in Firefox Portable. Here are my recommendations:
Use a Master Password (Tools -> Options -> Security -> Master Password), the stronger the password is, the better (use the strength indicator, it's not there for coolness factor). This will encrypt the passwords in the signons3.txt file so they won't be viewable without the Master Password.
because the cookies and session informations are NOT encrypted using the Master Password, this is a security threat that could grant access to your account if you activated the auto-login options, even if there is a Master Password. Also, if someone move your cookies.sqlite file from Firefox Portable profile to another profile, they will be able to use the cookies to gain access to some accounts with your saved credentials.
In order to avoid this, we will have to make sure that all sensitive datas and session informations will be cleared when Firefox is closed. To do so, we will have to use the option "Always clear my private data when I close Firefox" combined with the following options checked in the Settings:
-Saved Form and Search History
-Cache
-Cookies
-Offline Web Site Data
-Authenticated Sessions
This way, no cookies will be kept in Firefox, and the only way to gain access to your accounts will be to know the Master Password. Take note that because the cookies are not saved, you will lose the cookie-based website settings and the ability to auto-login to websites. The saved usernames and passwords will however be auto-completed in the login pages. This is in my opinion a good trade-off between security and usability.
By using those settings, it should give you at least enough time to change your password before a thief manage to brute force your Master Password, making the stored passwords useless.
Please leave some comments if you think there is something missing, or to give some feedback.
Thanks !
m-p{3}