Closed
Bug 100979
Opened 23 years ago
Closed 19 years ago
Reword Master Password Prompt
Categories
(Core Graveyard :: Security: UI, defect, P3)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 306730
People
(Reporter: tpringle, Unassigned)
References
Details
(Whiteboard: [kerh-coa])
Attachments
(1 file)
23.23 KB,
patch
|
KaiE
:
review-
|
Details | Diff | Splinter Review |
Need to reword the Master Password Prompt, the existing text: "Please enter the master password for the software security device" is confusing. Our typical end user has no idea what the software security device is and has a hard time understanding that that this means the master password they have set. Recommend that we change the wording to something more straightforward such as: "Please enter your Master Password." Ccing UE and docs for input.
Reporter | ||
Comment 1•23 years ago
|
||
Ccing Bob Lord.
As you can probably guess, we've discussed this issue before. :-) Each token, including the build-in token, has it's own "master password", which makes the idea of a *master* password a misnomer. Adding a few more people who remember this particular can-o-worms.
Priority: -- → P3
Target Milestone: --- → Future
Comment 3•23 years ago
|
||
"software security device" becomes "iButton security device" or "MySmartCard security device" or whatever, depending on which token's "master password" is being requested. One option for this that we discussed earlier this year is "hard disk security device" (when the relevant token is the internal, default one) to emphasize that the device involved is the one that stores its info on your hard disk. Some day, as I recall, even the master key--which is what the master password for the internal token unlocks for use by Password Manager and Form Manager--could possibly live on an external device. If this weren't the case--that is, if we could be sure that the master key always lives internally and not on some external token--then one option might be to differentiate the master password used for the Password & Form Manager from some other named "master cert password" that protects the certs on a token, whether internal or external. But that would probably involve a lot of work, and I'm not sure it would improve the user experience. Does anybody have any other ideas for this? I think it could really use a comletely fresh approach, ideally from a professional UI designer (German, are you ready to dig into this quicksand?) "Please enter your master password" comes up in all kinds of situations and it's almost always confusing why.
why not 'default' or 'basic' or 'browser'? in nc4, i have * Netscape Internal PKCS #11 Module * Communicator Generic Crypto Svcs * Communicator Certificate DB ^ each of these makes a bit of sense (esp the second level entries) -- certainly more than 'hard drive' -- which could be wrong if it's an NFS mount point or something else similarly whacky. what does the default device protect?
Reporter | ||
Comment 5•23 years ago
|
||
Those are all good suggestions - i.e. "Please enter your browser Master Password" I understand that there are different master passwords for these different devices, however I think we need to maximize for the 80% (in this case probably more like 95%) case. Most of our users will only see this dialog in the context of the master password for password/forms manager.
Comment 6•22 years ago
|
||
suggestion from an end-user: I would like to see something like "Please enter your Mozilla master password". I really didn't need to know about the Software Security Device when I was trying to check my mail yesterday. As odd as this may sound, it would have been helpful to know that this was a Mozilla prompt. I get a lot of weird Windows prompts - sometimes when I'm running Mozilla - and cryptic messages about master passwords aren't helpful. A "Help" button would also have been very useful on this dialog. This was the first time I've seen this prompt, and I didn't remember ever having set a master password. A short explanation would have saved a lot of frustration yesterday.
Comment 7•22 years ago
|
||
What about something like that: "Mozilla Password Manager: Please enter your Master Password" This can easily be understood by every user and doesn't conflict with other "Master Passwords" or "Security Devices".
Comment 8•21 years ago
|
||
Especially when I have many browser windows open, I get unexpected prompts for the master password. Approaches to fix: 1) one reason may be that it simply timed out and another timout semantic would reduce the incidence of this (see http://bugzilla.mozilla.org/show_bug.cgi?id=155739) 2) another reason may be that a javascript timer in another browser window all of a sudden woke up and for exampled re-promts for a login after a session time-out (e.g. in e-banking). Then, the master password prompt appears even though my currently used browser window provides no justification for this: ==> Suggestion: Mention WHY the master password is needed BY WHOM!! i) For the "password manager" in browser window with <title>...</title> ii) For "mailNews" to sign/decrypt a message. iii) for the "form manager" to populate a form (although I am not sure whether I really saw that occurring without user intervention - perhaps this is a disease in the MSIE - Gator world with its annoying pop-up adds that are seeking my address/demographics...) ... A furhter issue to consider when doing this is also distinguishability as per http://bugzilla.mozilla.org/show_bug.cgi?id=101611
Updated•21 years ago
|
QA Contact: junruh → bmartin
Comment 9•21 years ago
|
||
I agree it would be nice, if the master password prompt would explain why the master password is needed. I worked on this in some spare time a while ago. The patch works, but is not yet ready for checkin. The wordings should be discussed first.
Comment 10•21 years ago
|
||
Comment 11•21 years ago
|
||
Comment on attachment 119996 [details] [diff] [review] Patch v1 In particular, this patch has all strings hard coded into the sources. They would have to be moved to the string bundle. But I decided to attach this patch anyway, to have it here as a starting point / backup.
Attachment #119996 -
Flags: review-
Comment 12•21 years ago
|
||
This actually is a security vulnerability. I accessed a site that had a pop-up password entry field worded almost exactly like the text "Please enter the master password for the software security device" I wasn't sure if I was logging into Mozilla's password manager, or giving my password to the outside web page! It would be great if either: 1) The master password login prompt was unique and not possibly mimiced by a web page or... 2) Each pop-up login window indicated (in a non-spoofable way) what the source of the password request was. Of course, I could always stop being lazy, and use a Mozilla master password that I never use anywhere else....
Comment 13•21 years ago
|
||
My previous comments about the security vulnerability are already being addressed in Bug 101611. Sorry.
Comment 14•21 years ago
|
||
For what it's worth, stability enhanced Linux, Mac OSX and Windows builds based on Mozilla 1.3.1, that also contain the patch from this bug, are available at http://wamcom.org Please feel free to play with it and give feedback in this bug.
Comment 16•20 years ago
|
||
Mass change "Future" target milestone to "--" on bugs that now are assigned to nobody. Those targets reflected the prioritization of past PSM management. Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
Comment 17•20 years ago
|
||
*** Bug 268298 has been marked as a duplicate of this bug. ***
Updated•19 years ago
|
Whiteboard: [kerh-coa]
Comment 18•19 years ago
|
||
While this is the older bug, I decided to make it the DUPE since most of the recent discussion is going on in the newer bug. :) *** This bug has been marked as a duplicate of 306730 ***
Status: NEW → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
Assignee | ||
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•