Closed Bug 137197 Opened 22 years ago Closed 14 years ago

Reset Master Password doesn't clear the saved passwords (for mail, web, etc.)

Categories

(Core Graveyard :: Security: UI, defect)

Product:
Core Graveyard
Component:
Security: UI
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 398886
Milestone:
Future

People

(Reporter: esther, Unassigned)

References

Details

(Keywords: regression, Whiteboard: [kerh-ehz]) 

Reset Master Password doesn't clear the saved passwords for mail. The steps
below is how this was found, not sure if it has to be in this sequence or if all
the steps are needed.  It may fail with just 1 & 5. 

1. Launch app
2. Log into mail and save password, exit app
3. Launch app, log into mail and encrypt password. exit app
4. launch app, log into mail, give master password and then select obsecure
password in Tools|Password Manager|Obsecure Password. exit app
5. launch app, reset master password and log into mail Or exit,relaunch and log
into mail makes no difference.

Result: no password needed, 
Expected:  should have asked for password since I reset Master password which
states "If you reset your master password, you will permanently erase all the
web passwords, email passwords, and form data saved on your behalf by Password
Manager and Form Manager."
Note using branch build 20040412 on winxp and 20020411 on linux.
OS: Linux → All
nsbeta1
Keywords: nsbeta1
this is regression
Keywords: regression
My guess is that the message is correct in that all passwords "saved on your 
behalf by PASSWORD MANAGER" have been forgotten.  But probably there is some 
local caching of mail password done by mailnews and that one is not being 
forgotten.

In that case it's a mail/news issue.
Assignee: morse → racham
Component: Password Manager → Account Manager
Product: Browser → MailNews
QA Contact: tpreston → nbaca
Any passwords are saved. 
1.) Visit https://pki.mcom.com/testplans/sdr.html
2.) Enter passwords and submit.
3.) Reset master password.
4.) Manage stored passwords.
Notice that the stored passwords are still there.
In that case it is a password-manager problem.  Reassigning back to myself.

Could you please post a detailed step-by-step procedure starting from a fresh 
profile for reproducing this problem using the sdr.html site.  Thanks.
Assignee: racham → morse
Component: Account Manager → Password Manager
Product: MailNews → Browser
QA Contact: nbaca → tpreston
1.) Visit https://pki.mcom.com/testplans/sdr.html
2.) Enter username and password in the upper 2 boxes and submit. Say yes to save 
your info.
3.) Edit>Prefs>Privacy>Master Passwords>Reset master password.
4.) Edit>Prefs>Privacy>Passwords>Manage stored passwords.
Notice that the stored passwords are still there, though there should be no 
stored passwords.
Oh, so you are not encrypting your passwords.  In that case there is no need 
form mozilla to throw away all the collected password-manager and form-manager 
data, so it is not thrown away.  It never was thrown away in that circumstance, 
so this could not possibly be a regression (removing regression keyword).

The only purpose of the clear-master-password command is for the user who has 
forgotten his master password.  If his data is encrypted, he can never get to it 
again, and we must throw it away.  But if it is only obscurred, we don't have to 
be so harsh on him -- his data is still available even though his master 
password is forgotten.

So the only problem that I see here is the wording on the dialog which currently 
says:

   If you reset your master password, you will permanently erase all the
   web passwords, email passwords, and form data saved on your behalf by
   Password Manager and Form Manager.

The correction is to add the word "encrypted" so that it reads as follows:

   If you reset your master password, you will permanently erase all the
   encrypted web passwords, email passwords, and form data saved on your
   behalf by Password Manager and Form Manager.

Or, better yet, if the data is not encrypted we shouldn't even display the above 
dialog.
Keywords: regression
Based on my comment above, I would not consider this to be nsbeta1
Target Milestone: --- → mozilla1.1alpha
Removing nsbeta1 keyword. Assigning to cotter for wording change based on 
comment #8.
Assignee: morse → cotter
Keywords: nsbeta1
The text quoted by Steve in comment #8 appears in a couple of places in the
related help text. This is easy to fix, and I will do so.

The text in the dialog itself should probably also be changed. This involves
changing the word "stored" to "encrypted" in two places:

In the Master Passwords panel under Reset Password--new text should read:
  If you reset your master password, all your encrypted Web and email passwords
. . .

In the Reset Master Password dialog--new text shoud read:

If you reset your master password, all your encrypted Web and email passwords . . .

Note the additional change to uppercase "Web" in the former--I think there's a
bug about this somewhere, might as well fix it too.

Steve, can you create patches for these dialog changes, at your convenience? I
can steer them through approval, post-beta.
So basically we have taken a feature away from the 6.2.2 users "Clear Sensative 
Information" which cleared all saved passwords obscure or encrypted using a menu 
item click.  It is now replaced with "Reset Master Password" which only clears 
not only the the master password but the Certificate for signing and encypting 
mail (as well as others).  How will the 6.2.2 user know they have to go to the 
Password Manager to remove the saved mail passwords. Is there a current spec for 
this new UI?  I could see a 6.2.2 user using Reset Master Password in place of 
Clear Senstitive Information and losing their certificates as I did.

I had a certificate for signing and encrypting mail messages.
I logged into a mail account, saved password and then selected to encrypt the 
password, I am asked for my Master Password.  I didn't remember giving a Master 
Password but since I had just added my cert I suspect it wants the password I 
gave while importing it.  I give that password and I now have my mail passwords 
covered under the same password I have for my Cert.  I decided I didn't want my 
mail passwords encrypted or saved, I selected Reset Master Password and I lost 
my Cert and had to import it again. 
Note: With 6.2.2 Clear Sensitive Information did not remove my Cert.
cc'ing jglick 
> So basically we have taken a feature away from the 6.2.2 users

We haven't taken anything away.  This feature hasn't changed.  This is the way 
it always worked.

> With 6.2.2 Clear Sensitive Information did not remove my Cert.

Are you sure about that?
In 6.2.2 (and earlier) Clear Sensitive Infomation would clear our all email
saved passwords from the password manager even if they were only saved as
obscure.  It did not remove the Certificate.  When user exited app and
relaunched the app, they would then be asked for a password for each email
account before logging in.




The feature we're taking away is the "Clear Sensitive Information"  menu item.

OK, I apologize, you are right.  The change came about in bug 102709 comment 19.
Thanks for pointing me to the bug, I've added this comment to that bug. 
Unfortunately renaming the menu item "Clear Sensititve Informtion" to "Reset
Master Password" does more than a name change.  The functionality is very
different and can confuse the user who has used "Clear Sensitive Information". 
An example:

1.) I am a user who saved passwords for some of my mail accounts and have used
Clear Sensitive Information to remove those saved passwords from the Password
Manager.
2.) I have now added a cert to allow me to sign and encrypt mail messages
3.) I have gone to my mail account settings and assigned that cert to a mail
account and have successfully signed and encrypted mail messages.
3.) I have some saved mail passwords and decided to Clear Sensitive Information
so I can reset the mail passwords I want to be saved (this is how I did it in
6.2.2), so I use Reset Master Password which sounds the same and is in the same
location as Clear Sensitive Information.

Result:  Sending fails because the cert has been removed.  I get a message
"Unable to sign message.  Please check that the certificates specified in Mail &
Newsgroups Accounts Settings for this mail account are valid and trusted."
Because of the remembered behavior of 6.2.2. when using Clear Sensitive
Information I have no idea that my cert is now gone and my mail passwords are
still saved.  

To Send messages, the user must now figure out they deleted their cert and
import it again AND/OR uncheck the mail accounts settings for Security even
though it still shows the cert name in the list box.  They must also figure out
that they now need to go to the Password manager to remove the mail servers from
the Saved Passwords list.  
For backward compatibility and to avoid user confusion: Why can't we keep "Clear
Sensitive Information"  working the same way but maybe word it differently so
the user knows it only removes the saved obscure passwords and add "Reset Master
Password" for those who have encrypted their passwords stating it will remove
the saved passwords as well as the master password and certs.
Component: Password Manager → S/MIME
Product: Browser → PSM
Target Milestone: mozilla1.1alpha → ---
Version: other → 1.01
I agree it will potentially be very confusing and fustrating for users who click 
"Reset Master Password" and later discover that Signing and/or Encryption in 
Mail don't work. They probably won't realized "Reset Master Password" removed 
their certificates and think something is broken. 
See also Bug 136781.  Clearing master passwords and/or deleting the certificates 
currently used to configure the smime settings needs to trigger a cleansing of 
the user prefs.

At this point, the only work around is to go into the prefs.js file and blank 
out the configured certs and set the signing policy to false and the encryption 
policy to 0.  Not a very good workaround...

Looks like there needs to be tighter integration among mail, psm, and password 
mgmt, particularly when secure mail is configured.

Also added the regression keyword, as we have inadvertantly replaced prior 
functionality with something 'else'.  Ideally resetting the master password 
would allow the option to wipe the slate clean, which used to be the 
case with the 'Clear Sensitive Information' operation. 

Bug 102709 comment 19:
>> When the passwords are obscured, you're not proposing to reset the master
>> password, but if the passwords are encrypted, you're proposing to reset the
>> master password in addition to deleting the store passwords? The same click
>> would have vastly different effects.  A delete all button should just have
>> that functionality.
>
>I'm a little confused as to whether you are describing the way you think it 
>should be or that way it currently is.  So let me tell you what we currently 
>have and why.
>
>The setting of the encrypt/obscure toggle has no effect on the delete-all.  In 
>either case, all stored form-manager and password-manager information s deleted 
>and the master password is reset.  Due to an oversight, the resetting of the 
>master password was not being done.  Furthermore, the encrypt/obsure state was 
>set to obscure.  This bug report asked that the toggle not be changed.  The 
>patch maintains the original state of the toggle and also adds the resetting of 
>the master password which was accidentally left out of the original 
>implementation (although by design it was supposed to be there).
>
>The reason for this behavior goes back to the reason that this menu item was 
>added in the first place.  It was put in because marketing asked that a user 
>who forgot his master password has to have some way to recover.

Nominate nsbeta1 (as this really needs to be fixed by RTM), upped priority as 
well - users will hit this setting up their smime accounts.
Keywords: regression
Priority: -- → P1
Version: 1.01 → 2.3
Depends on: 136781
John, which group owns this bug?
Component: S/MIME → Client Library
The help text changes described in Comment #11 have been implemented. It's not
clear to me what else needs to be done to fix this bug.

Note that the Master Passwords prefs panel, the Rest Master Password dialog, and
context-sensitive help all warn that resetting the master password will result
in losing access to your certs.

Reassigning to morse but not really sure who this belongs to now.
Assignee: cotter → morse
Target Milestone: --- → Future
Summary:

- we removed the "clear sensitive data" feature
- we did so, because we made the incorrect assumption, that "reset master
password" would do the same
- but in fact, if web/mail passwords are only obscured, not encrypted, resetting
the master password will not forget the stored passwords
- we confuse the user, because when a user resets the master password, we say
that remembered other passwords will be cleared

I suggest:
- re-add the "clear sensitive data" feature
- make the "reset master password" behaviour smarter. Make it detect whether web
passwords encrypted or obscured. If they are obscured, do not mention them in
the warning.
Priority: P1 → --
It seems to me that all the functionality is there, but more combersome.  If you
want to do what the old "clear sensitive information did", you need to go to the
password manager dialog and do "remove all", then to the form manager dialog and
"remove all".

The issue now is to make those removals easier than having to go to the two
dialogs.  Perhaps a single menu item called "clear sensitive data".  Perhaps a
top-level item on the pref panel for form-manager and password-manager just like
"reset master password" is now a top-level pref-panel item for master password.

So it's a UE issue as to which we do.  Reassigning.
Assignee: morse → marlon
Product: PSM → Core
Was able to reproduce this bug.

Mac OsX 10.4.1
Whiteboard: [kerh-ehz]
QA Contact: tpreston → ui
This will be fixed when TB/SM switches to the new login manager.
Depends on: 239131
Version: psm2.3 → 1.0 Branch
Assignee: marlon.bishop → dolske
Version: 1.0 Branch → Trunk
Assignee: dolske → kaie
Depends on: 398886
Bug 239131 has been marked fixed. Comment 26 predicted this bug would be fixed, too. Is it fixed?
On the other hand, I think the "reset master password" user interface feature got removed from Thunderbird (and from Firefox). I don't understand why that happened...

Anyway, this means, in order to test this bug one would have to use SeaMonkey...

I remember someone mentioning a workaround for Firefox, which is to enter the chrome:// url for the reset-password dialog in a browser window. Given the lack of browser windows in Thunderbird, this workaround won't work there...
I think:
* this bug should be assigned to "password management"
* the password should reintroduce the option to reset the master password
* if executed, all stored passwords should be deleted
  (as they can't be decrypted anyway)

However, I'm not sure if "password management" is a core platform feature, or a Firefox feature these days?

Please advice.
Assignee: kaie → nobody
Summary: Reset Master Password doesn't clear the saved passwords for mail → Reset Master Password doesn't clear the saved passwords (for mail, web, etc.)
This was fixed by bug 398886.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.