Most users should leave them on, but here’s how to disable them.
Firefox 52 added a new warning that appears on HTTP forms. It pops up below the field and takes the place of your saved password.
If you regularly log in to HTTP sites on an intranet, or a website you use simply does not support HTTPS yet, this may annoy you.
Below are simple instructions to disable Firefox insecure password warnings, and instructions to turn autofill on for HTTP logins.
How To Disable Firefox 52 Insecure Form Warning
Please know that your password can very easily be stolen if you are logging into websites over HTTP. If a website you use does not offer secure logins, use a unique password for that site and do not use it anywhere else.
Only follow these instructions if you want to turn off these important security settings in Firefox. Do not follow these instructions if someone else is telling you to.
Here’s how to disable Firefox insecure password warnings:
- Open a new tab, paste about:config into the address bar and hit enter.
- If you see the “This Might Void Your Warranty” page, click the blue “I accept the risk!” button. Understand we are manually modifying Firefox’s default settings.
- In the Search box at the top, paste insecure_field_warning.contextual.enabled
- Double click the setting to change it to “false”, to disable Firefox’s insecure password warning.
- Done! Now when you visit pages with HTTP login forms, the warning will no longer appear.
If you also want to restore autofill functionality, so that your saved login/password automatically populates in an HTTP form, keep the configuration page open and follow the next step.
Optional. In the Search Box on the about:config page, paste signon.autofillForms.http
Double click the setting to change it to “true,” this will enable autofill.
A Note About Web Safety
When a website is using HTTP, you have an insecure connection that transmits all your data in plaintext. That means if you log in to an HTTP website, your password is sent over your ISP’s network, across the internet, and to the server as is, with no protections. If your password is “Camaro70!” anyone monitoring the network can see that.
Obviously, this makes it very easy to steal your login information and gain access to your account.
To protect yourself, please set a unique password for each and every site you visit that uses HTTP. Do not even make it similar to other passwords (for example, don’t just change the number or add an extra character to the end).
You may not think your information is at risk, but tens of millions of passwords are stolen every year. If you are logging in on a public/shared network – such as a coffee shop, airport, or municipal wifi – an attacker likely has a computer persistently monitoring traffic looking for anything worth stealing.
We understand that users do not like change and that if a website you use does not support HTTPS, there may not be anything you can do. This is why we have provided instructions to disable Firefox insecure password warnings. But please consider the security implications and the risk of password re-use before doing so.
If you are a website administrator or service provider who tells their users to turns these settings off: We will find you, and we will tell everyone about your bad security practices. Do not encourage or mislead users into reducing their protections online.