Whenever I go to the Netflix main page in Firefox, I'm automatically logged in.
However, when I open up Firefox's list of saved passwords, I notice that Netflix is not among the sites Firefox is keeping passwords for (Options -> Security -> Saved Passwords)
How does Netflix know the password if Firefox isn't storing it, and where is it being stored?
To answer your first question, Netflix doesn't know your password.
What Netflix and every other competent website out there does is hash your password using a one-way hashing scheme (MD5, SHA-1, SHA-2, etc.).
What this does is essentially create a unique fixed-length hexadecimal fingerprint that identifies the string of text that is your password. For instance, here's what my-secure-password looks like after being hashed using MD5:
They store this hash in their internal database and every time you log into Netflix, the password you supply during the login process is hashed once again using the same scheme and is matched against the copy of the hashed password stored in their database.
If they match, they know that you've entered the correct password and you're granted access. If they don't, you're not authenticated. This is why when you click on some variation of the Forgot password link they don't send you your old password but rather ask you to choose a new one. It's because they don't know what your password is either.
So how are you logged in if Firefox did not store the password for Netflix?
The answer to that is session cookies. When you logged into Netflix (maybe a while ago), you may have chosen to remember your session.
If you did, Firefox stores a small tidbit of information on your computer that uniquely identifies you whenever you visit Netflix. These 'cookies' as they are called generally persist for a short period time until the session is active and then expire. Some however may last weeks or longer. Delete that cookie and Netflix won't remember you.
Regarding your second question, if Firefox didn't 'remember' the password, it isn't stored anywhere. What's stored is the cookie. Firefox stores them in its Profiles folder in the file cookies.sqlite which is a SQLite database file.
Lastly, if you opted to log in through your Facebook account, you wouldn't need a password and so Firefox wouldn't store one.
However, a cookie would still be created to identify your session.
Netflix – like most other websites – doesn't care about your password during normal browsing. Instead, when you log in, Netflix has the browser store a 'cookie' with the login session ID. The browser sends it back every time it requests a new page. (Likewise, the password storage in Firefox is not used during normal browsing, but only for auto-filling the password field in login pages.)
The session cookies are usually generated randomly and don't have any relation to your login or password – only Netflix itself can link it to your account.
To see them, right-click the page, select "View Page Info", and under "Security" click "View Cookies".
There's nothing wrong with Netflix. Just like almost all websites that you can log on, it stores a cookie on your PC which among other things, stores an encrypted data representing your password.
Haven't you seen the same behavior on Google, Facebook, Yahoo, Windows Live and whatever account you may think of?
Some web services may use cookies that are valid only for a short period of time or only in the current session (for example Yahoo and Facebook unless you select a Remember me on this computer option). But apparently Netflix uses cookies that are valid for a longer period of time which keeps you logged on unless you delete your browser history - especially cookies.
Now, you may be asking what's the use of password store in the browser. That's very simple. If you log out from Netflix (or whatever else) the cookie gets deleted. If you want to log back in you'll have to enter both the account username and the password. If you have saved your password in the browser, it will autocomplete that field when you type the username.
Did you check your cookies? Your password, or an encrypted copy of your password, might be there.
