Closed
Bug 1078534
Opened 10 years ago
Closed 3 years ago
Add ability to generate passwords
Categories
(Firefox for Android Graveyard :: Logins, Passwords and Form Fill, enhancement)
Firefox for Android Graveyard
Logins, Passwords and Form Fill
All
Android
Tracking
(Not tracked)
RESOLVED
INCOMPLETE
People
(Reporter: mfinkle, Unassigned)
References
Details
When entering a new password,we should support a way for Firefox to create a suitable password for the given site. Sites can have length and character limitations, so we should support ways to conform correctly. If possible, we should look at the <input> to see if length and character validation hints can help auto-set some configurations. Questions: 1. Do we need crypto support? If so, what? 2. Should we limit support to password type fields? Some websites might be using password/text fields to support show/hide functionality. 3. Should this system support copy to clipboard too?
Updated•10 years ago
|
OS: Linux → Android
Hardware: x86_64 → All
Updated•10 years ago
|
Severity: normal → enhancement
Comment 1•10 years ago
|
||
Related? https://github.com/mozilla/fxa-content-server/issues/1732 Useful for Firefox Accounts, but not for generating a password for other sites (as users may use the tool to generate the same password everywhere. I'm investigating a browser-integration of a tool like: http://oneshallpass.com/
Reporter | ||
Comment 2•10 years ago
|
||
(In reply to Ryan Feeley from comment #1) > I'm investigating a browser-integration of a tool like: > http://oneshallpass.com/ Yeah. I have some code started to handle making a password, but I am curious as to what role the crypto plays. Does a password for Twitter benefit from MD5 or HMAC-MD5? I'm sure there are good reasons, I just want to clearly understand them :)
Comment 3•10 years ago
|
||
Likely it would look more like: http://www.supergenpass.com/mobile/
Comment 4•10 years ago
|
||
(In reply to Mark Finkle (:mfinkle) from comment #2) > Yeah. I have some code started to handle making a password, but I am curious > as to what role the crypto plays. Does a password for Twitter benefit from > MD5 or HMAC-MD5? I'm sure there are good reasons, I just want to clearly > understand them :) For simple password generation, all you need is the ability to generate random bits, and a function to map them into something user readable. The former is effectively a solved problem. The latter is mostly about heuristics and UI. For example, a hexadecimal representation of bits is perfectly fine, except it's not very dense (in terms of bits per character), and you still have to deal with requirements like "must include punctuation" that you can't automatically detect.
Reporter | ||
Updated•10 years ago
|
Component: General → Logins, Passwords and Form Fill
Reporter | ||
Updated•10 years ago
|
Blocks: mobile-passwords
Comment 5•10 years ago
|
||
Is this a dupe of https://bugzilla.mozilla.org/show_bug.cgi?id=376674?
Reporter | ||
Comment 6•10 years ago
|
||
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #5) > Is this a dupe of https://bugzilla.mozilla.org/show_bug.cgi?id=376674? Let's not dupe. This bug is for Fennec. That bug is for Desktop.
Comment 7•9 years ago
|
||
This feature appears to be a simple big win, but may not be. 1) If we generate a password for the user, we better make sure we don't screw up remembering it and the associated username. Otherwise, we locked the user out of her account. This means password capture needs to be really good before we push this too hard, and we probably need a manually recovery mechanism for the times we don't capture correctly. 2) It's not clear to me that typical users want this. It's ironic and saddening, because being able to use unique, randomly generated passwords everywhere is the supposed holy grail endgame of passwords managers. As flawed as the strategy is, people use all sorts of personal and private information in their passwords, which makes them take on a life of their own. Rejecting someone's hand-crafted, personal (yet maybe flawed) password in favor of some dehumanizing gibberish spit out by a machine has the potential to piss people off. As an anecdote, I was joking with my (not un-technical) neighbor about how with Google's acquisition of Nest, you'd start getting sweater ads when it's too cold in your house. He laughed, and the followed up with: "I was using Safari, and it wanted me to use *its* password for a site I was signing up for. Are my passwords not even my own anymore?" Heh. "Users".
Reporter | ||
Comment 8•9 years ago
|
||
I think we should wait until we have better UX for humans making, saving and filling their own passwords before we auto-generate passwords for them. Once we get past Password Manager feeling like a magical, closed box, we can start suggesting people use better passwords. And that's how I think this feature should start: suggesting better passwords than the ones people type. That way it's still "their" password, Firefox just suggested they use a password that doesn't suck. User: types "password" into a password field Firefox: displays a suggestion "I think you can do better than that"
Comment 9•9 years ago
|
||
Mark, I think I we're on the same page here. You've hit on another hard problem: password strength. I only know of three classes of passwords: "good", "not terrible", and "terrible". Here are some examples: Good: @7]FzqFD$NU!Z"+.'ykL Not terrible: goodstuff1! Terrible: password Classifying terrible passwords is not too hard. Getting those people to use at least "not terrible" passwords would be a win, but I'm not confident we can. Many of the world's passwords are probably in the "not terrible" category, and it's less clear what to do there.
Updated•9 years ago
|
Blocks: password-android-v2
Comment 10•9 years ago
|
||
+1 I really like the feature, however would we hijack/overwrite the website's own password generator if they already have one?
Comment 11•6 years ago
|
||
We actually ought to offer a password generator on all platforms, not just Android. Desktop in particular would benefit. Yes, there are password managers that can do it, but the experience is not seamless, and we need creating good passwords to be seamless to ensure that people actually *do* it.
Comment 12•4 years ago
|
||
Comment 13•3 years ago
|
||
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Updated•3 years ago
|
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•