Re-Hashed: How To Disable Firefox Insecure Password Warnings
1 Star2 Stars3 Stars4 Stars5 Stars (12 votes, average: 4.58 out of 5)
Loading...

Re-Hashed: How To Disable Firefox Insecure Password Warnings

We don’t recommend it, but here’s how to disable Firefox Insecure Password Warnings.

Firefox 52 added a new warning that appears on HTTP forms. It pops up below the field and takes the place of your saved password. It’s been cleverly dubbed the “Insecure Password Warning.”

If you regularly log in to HTTP sites on an intranet, or a website you use simply does not support HTTPS yet, this may annoy you.

Below are simple instructions to disable Firefox insecure password warnings, and instructions to turn autofill on for HTTP logins.

Disable Firefox Insecure Password Warnings

How To Disable Firefox 52 Insecure Form Warning

Keep in mind that your password can very easily be stolen if you are logging into websites over HTTP. If a website you use does not offer secure logins, use a unique password for that site and do not use it anywhere else.

Only follow these instructions if you want to turn off these important security settings in Firefox. Do not follow these instructions if someone else is telling you to.

Here’s how to disable Firefox insecure password warnings:

  1. Open a new tab, paste about:config into the address bar and hit enter.
  2. If you see the “This Might Void Your Warranty” page, click the blue “I accept the risk!” button. Understand we are manually modifying Firefox’s default settings.
  3. In the Search box at the top, paste security.insecure_field_warning.contextual.enabled
  4. Double click the setting to change it to “false”, to disable Firefox’s insecure password warning.
  5. Done! Now when you visit pages with HTTP login forms, the warning will no longer appear.

If you also want to restore autofill functionality, so that your saved login/password automatically populates in an HTTP form, keep the configuration page open and follow the next step.

Optional. In the Search Box on the about:config page, paste signon.autofillForms.http

         Double click the setting to change it to “true,” this will enable autofill.

A Note About Web Safety

When a website is using HTTP, you have an insecure connection that transmits all your data in plaintext. That means if you log in to an HTTP website, your password is sent over your ISP’s network, across the internet, and to the server as is, with no protections. If your password is “Camaro70!” anyone monitoring the network can see that.

Obviously, this makes it very easy to steal your login information and gain access to your account.

To protect yourself, please set a unique password for each and every site you visit that uses HTTP. Do not even make it similar to other passwords (for example, don’t just change the number or add an extra character to the end).

You may not think your information is at risk, but tens of millions of passwords are stolen every year. If you are logging in on a public/shared network – such as a coffee shop, airport, or municipal wifi – an attacker likely has a computer persistently monitoring traffic looking for anything worth stealing.

We understand that users do not like change and that if a website you use does not support HTTPS, there may not be anything you can do. This is why we have provided instructions to disable Firefox insecure password warnings. But please consider the security implications and the risk of password re-use before doing so.

If you are a website administrator or service provider who tells their users to turns these settings off: We will find you, and we will tell everyone about your bad security practices. Do not encourage or mislead users into reducing their protections online.


Re-Hashed is a regular weekend feature at Hashed Out where we pick one of our more popular stories and share it with our new readers.

40 comments
  • Unfortunately, the warning comes up with the logon pages of modems and routers. Since they use private IP addresses, and certificates are NOT issued for private IP addresses, these warnings will become just another click-through that will be ignored. 🙁

    • Hi Mark,

      That is a great point. It does seem worthwhile to notify users that they are insecure, even on those devices. However, if the warning is literally unavoidable due to restrictions on public SSL certificates, I agree that this will just be ignored and de-value the meaning of such warnings.

      • My work involves logging into a lot of Dell iDRAC cards, which are HTTPS connections to an IP address. If I had a dollar for every security exception I’ve added, I could take a sabbatical. Please, please provide a way (about:config would be a great place) where I can disable the warning page, at least for IP addresses, or allow me to allow exceptions for wildcard sites (https://10.*/, for example)

        Or point me to a CA who will sell me a wildcard certificate for 10.* addresses.

    • Hi Bill,

      Make sure there is no trailing space at the end, as that will cause Firefox to return no results. If that is not working, try searching just a segment of the string, such as “insecure_field_warning”

      That should still give you a match. If you still are not getting anything, make sure you are on Firefox 52. You can check this by opening the main menu, then clicking the “?” icon at the bottom right, then “About Firefox.”

  • While I am sure that this is very admirable. I am not so sure that it is really doing anybody any real favors because it is essentially empowering browser users to discard all thought of security. The more of this kind of stuff you do for them the more careless their behavior will become.
    I have always wondered about the wisdom of making it easy for people to be dumb.

  • It basically boils down to who’s PC is it and why should I have to suffer because of dimwits? As an adult it’s my choice if I make the wrong choice. That’s how animals learn, by their mistakes, believe it or not.

    • I generally agree, however, losing a password due to “ignorance” (which is *way* more prevalent than I care to admit) can be a very, very, very costly problem. Sadly, people then blame Mozilla instead of their own actions.

    • Hi Maryanne,

      If you see a dropdown with a key icon that is showing you the login(s) you have saved for that site through Firefox’s password manager.

      If you want to delete any saved logins, you want to go to the Security section of Firefox’s options. A quick way there is to paste this into your address bar:

      about:preferences#security

      Then click the “Saved Logins” button (bottom right) and you can manually delete those.

  • Thanks, this was really helpful 🙂
    I used to like Firefox, but got very irritated by their new useless functionality. I know about passwords and security and don’t need my browser to remind me the basics each time I login to my router or any site that uses HTTP for that matter.
    There should be an easy option to disable this USELESS warning, like discard this message from now on. But no, Firefox people are following the general trend which is to consider people as so irresponsible and dumb that some higher authority should take all responsibility for them.
    Sorry for the rant 😉 and thanks again for the tip 🙂

  • I am a developer. I sometimes develop websites. Those websites are developed locally, without ssl, for obvious reasons. Then I deploy them to a test server. Do I really need a warning that my password (“password”) to the account “test account” on my local machine might be stolen? No I do not.

    I turned that warning off. Thank goodness they didn’t force it on us with no ability to disable it.

  • Thank you for this bit of information. I use internal network sites all day long that are not using HTTPS let alone certificates that are up to date or verifiable on any browser. I just wanted the warning off so auto-complete would work again. We have survived the last 25 years without this warning. I think I can continue to manage.

  • Thanks for this. Firefox should have allowed for a way to add exceptions. Without it, it was a dumb feature because most sites are secured

  • It wouldn’t be so horrible if it wasn’t such an intrusive graphic. How about a red box or something instead of this massive gray thing that covers up a noticeable chunk of my screen.. Thanks for posting this cure.

  • I have hundreds of passwords and they are all secure but in order to use secure passwords I need to have auto-fill. Because without-fill I have to use insecure passwords I can remember.

    I was in the process of building a website for a charity at the time this appalling change came in. Unfortunately, because they don’t have their own SSL certificate, and because HTTPS is such a pain if you don’t have your own certificate and because of the threats by Micro$oft — sorry I mean Mozilla … I couldn’t see a way to get the project off the ground when users would be presented by “invalid certificate” errors if I did it one way or “this site doesn’t use HTTPS” if I did it the other.

    So all that work was wasted!!

    I’m sick of Mozilla which is now behaving like Micro$oft

  • With the latest 53.02 update it shows up as this

    security.insecure_field_warning.contextual.enabled

    So be sure to search for this string. I found it by finally typing contextual.

    Great info and yes proceed with caution. However if you’re a diligent reader of the information at this website you probably have a handle on most security issues and don’t need to be constantly told “Don’t put your hand on a hot stove”.

  • Hi, I turned off the warning just as is described above but the warning message still continues to popup when I want to save a password. This is becoming extremely annoying

    • Hi Gerrit,

      I tried to recreate that warning but didn’t see anything when saving a password on an HTTP site. Could you share a screenshot?

  • Thank you so much. I use LastPass and a VPN. It was so annoying to have my login boxes covered every time I went to one of my WP sites.

  • Big Brother and Firefox, this stinks of the same hubris as the sites that change home pages or add unwanted software during the installation of software that appears to be useful.

    Keep your nose out of my computer!

  • Thanx from Ukraine!
    Long time had no idea how to get rid of this message especially on local sites.
    Very useful thing.

  • thanks for this great article , i have my wifi router , can i use it without wifi password , so my friends donot need password to connect to the enternet ?

  • This is not useful. The directive only removes the warning (the literal string), but does not change this stupid behavior. The directive “signon.autofillForms.http” does nothing. I wonder if this “feature” is hard-coded.

  • What makes it so irritating is that the warning inevitably covers what you are typing so you cannot see it. This is enough to make a person disable it as shown in this article – and bypass its noble intent. Common Mozilla you can do better

  • I think the bottom line is that in this litigious world we live in, some (moron) err user, will sue Firefox, saying that they were not adequately warned when they went to some hacking website and ended up with a virus that wipes out their hard drive.

  • I have switched it off but sadly still cant access my web host manager. 🙁
    I cant afford to buy ssl certificates i only mes about as a hobby not selling or making money.

    • Letsencrypt provides free certificates… just saying.
      Still, this “feature” of FF is highly annoying, and will only lower the sensibility of the users for the problem, as they will start to click through on their known, beloved sites.
      Not helping.

Leave a Reply

Your email address will not be published. Required fields are marked *

Captcha *

Author

Vincent Lynch

The SSL Store’s encryption expert makes even the most complex topics approachable and relatable.