Need to reword the Master Password Prompt, the existing text: "Please enter the master password for the software security device" is confusing. Our typical end user has no idea what the software security device is and has a hard time understanding that that this means the master password they have set. Recommend that we change the wording to something more straightforward such as: "Please enter your Master Password." Ccing UE and docs for input.
Ccing Bob Lord.
As you can probably guess, we've discussed this issue before. :-) Each token, including the build-in token, has it's own "master password", which makes the idea of a *master* password a misnomer. Adding a few more people who remember this particular can-o-worms.
Priority: -- → P3
Target Milestone: --- → Future
"software security device" becomes "iButton security device" or "MySmartCard security device" or whatever, depending on which token's "master password" is being requested. One option for this that we discussed earlier this year is "hard disk security device" (when the relevant token is the internal, default one) to emphasize that the device involved is the one that stores its info on your hard disk. Some day, as I recall, even the master key--which is what the master password for the internal token unlocks for use by Password Manager and Form Manager--could possibly live on an external device. If this weren't the case--that is, if we could be sure that the master key always lives internally and not on some external token--then one option might be to differentiate the master password used for the Password & Form Manager from some other named "master cert password" that protects the certs on a token, whether internal or external. But that would probably involve a lot of work, and I'm not sure it would improve the user experience. Does anybody have any other ideas for this? I think it could really use a comletely fresh approach, ideally from a professional UI designer (German, are you ready to dig into this quicksand?) "Please enter your master password" comes up in all kinds of situations and it's almost always confusing why.
why not 'default' or 'basic' or 'browser'? in nc4, i have * Netscape Internal PKCS #11 Module * Communicator Generic Crypto Svcs * Communicator Certificate DB ^ each of these makes a bit of sense (esp the second level entries) -- certainly more than 'hard drive' -- which could be wrong if it's an NFS mount point or something else similarly whacky. what does the default device protect?
Those are all good suggestions - i.e. "Please enter your browser Master Password" I understand that there are different master passwords for these different devices, however I think we need to maximize for the 80% (in this case probably more like 95%) case. Most of our users will only see this dialog in the context of the master password for password/forms manager.
suggestion from an end-user: I would like to see something like "Please enter your Mozilla master password". I really didn't need to know about the Software Security Device when I was trying to check my mail yesterday. As odd as this may sound, it would have been helpful to know that this was a Mozilla prompt. I get a lot of weird Windows prompts - sometimes when I'm running Mozilla - and cryptic messages about master passwords aren't helpful. A "Help" button would also have been very useful on this dialog. This was the first time I've seen this prompt, and I didn't remember ever having set a master password. A short explanation would have saved a lot of frustration yesterday.
What about something like that: "Mozilla Password Manager: Please enter your Master Password" This can easily be understood by every user and doesn't conflict with other "Master Passwords" or "Security Devices".
I agree it would be nice, if the master password prompt would explain why the master password is needed. I worked on this in some spare time a while ago. The patch works, but is not yet ready for checkin. The wordings should be discussed first.
Comment on attachment 119996 [details] [diff] [review] Patch v1 In particular, this patch has all strings hard coded into the sources. They would have to be moved to the string bundle. But I decided to attach this patch anyway, to have it here as a starting point / backup.
Attachment #119996 - Flags: review-
This actually is a security vulnerability. I accessed a site that had a pop-up password entry field worded almost exactly like the text "Please enter the master password for the software security device" I wasn't sure if I was logging into Mozilla's password manager, or giving my password to the outside web page! It would be great if either: 1) The master password login prompt was unique and not possibly mimiced by a web page or... 2) Each pop-up login window indicated (in a non-spoofable way) what the source of the password request was. Of course, I could always stop being lazy, and use a Mozilla master password that I never use anywhere else....
My previous comments about the security vulnerability are already being addressed in Bug 101611. Sorry.
For what it's worth, stability enhanced Linux, Mac OSX and Windows builds based on Mozilla 1.3.1, that also contain the patch from this bug, are available at http://wamcom.org Please feel free to play with it and give feedback in this bug.
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Mass change "Future" target milestone to "--" on bugs that now are assigned to nobody. Those targets reflected the prioritization of past PSM management. Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
*** Bug 268298 has been marked as a duplicate of this bug. ***
While this is the older bug, I decided to make it the DUPE since most of the recent discussion is going on in the newer bug. :) *** This bug has been marked as a duplicate of 306730 ***
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Resolution: --- → DUPLICATE
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.