Closed Bug 1078534 Opened 10 years ago Closed 3 years ago

Add ability to generate passwords

Categories

(Firefox for Android Graveyard :: Logins, Passwords and Form Fill, enhancement)

Product:
Firefox for Android Graveyard
Component:
Logins, Passwords and Form Fill
Platform:
All
Android
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: mfinkle, Unassigned)

References

Details

When entering a new password,we should support a way for Firefox to create a suitable password for the given site. Sites can have length and character limitations, so we should support ways to conform correctly. If possible, we should look at the <input> to see if length and character validation hints can help auto-set some configurations.

Questions:
1. Do we need crypto support? If so, what?
2. Should we limit support to password type fields? Some websites might be using password/text fields to support show/hide functionality.
3. Should this system support copy to clipboard too?
OS: Linux → Android
Hardware: x86_64 → All
Severity: normal → enhancement
Related? https://github.com/mozilla/fxa-content-server/issues/1732

Useful for Firefox Accounts, but not for generating a password for other sites (as users may use the tool to generate the same password everywhere.

I'm investigating a browser-integration of a tool like: http://oneshallpass.com/
(In reply to Ryan Feeley from comment #1)

> I'm investigating a browser-integration of a tool like:
> http://oneshallpass.com/

Yeah. I have some code started to handle making a password, but I am curious as to what role the crypto plays. Does a password for Twitter benefit from MD5 or HMAC-MD5? I'm sure there are good reasons, I just want to clearly understand them :)
Likely it would look more like: http://www.supergenpass.com/mobile/
(In reply to Mark Finkle (:mfinkle) from comment #2)

> Yeah. I have some code started to handle making a password, but I am curious
> as to what role the crypto plays. Does a password for Twitter benefit from
> MD5 or HMAC-MD5? I'm sure there are good reasons, I just want to clearly
> understand them :)

For simple password generation, all you need is the ability to generate random bits, and a function to map them into something user readable. The former is effectively a solved problem. The latter is mostly about heuristics and UI.

For example, a hexadecimal representation of bits is perfectly fine, except it's not very dense (in terms of bits per character), and you still have to deal with requirements like "must include punctuation" that you can't automatically detect.
Component: General → Logins, Passwords and Form Fill
(In reply to [:mmc] Monica Chew (please use needinfo) from comment #5)
> Is this a dupe of https://bugzilla.mozilla.org/show_bug.cgi?id=376674?

Let's not dupe. This bug is for Fennec. That bug is for Desktop.
See Also: → 376674
This feature appears to be a simple big win, but may not be.

1) If we generate a password for the user, we better make sure we don't screw up remembering it and the associated username. Otherwise, we locked the user out of her account. This means password capture needs to be really good before we push this too hard, and we probably need a manually recovery mechanism for the times we don't capture correctly. 

2) It's not clear to me that typical users want this. It's ironic and saddening, because being able to use unique, randomly generated passwords everywhere is the supposed holy grail endgame of passwords managers. As flawed as the strategy is, people use all sorts of personal and private information in their passwords, which makes them take on a life of their own. Rejecting someone's hand-crafted, personal (yet maybe flawed) password in favor of some dehumanizing gibberish spit out by a machine has the potential to piss people off. 

As an anecdote, I was joking with my (not un-technical) neighbor about how with Google's acquisition of Nest, you'd start getting sweater ads when it's too cold in your house. He laughed, and the followed up with: 

"I was using Safari, and it wanted me to use *its* password for a site I was signing up for. Are my passwords not even my own anymore?"

Heh. "Users".
I think we should wait until we have better UX for humans making, saving and filling their own passwords before we auto-generate passwords for them.

Once we get past Password Manager feeling like a magical, closed box, we can start suggesting people use better passwords. And that's how I think this feature should start: suggesting better passwords than the ones people type. That way it's still "their" password, Firefox just suggested they use a password that doesn't suck.

User: types "password" into a password field
Firefox: displays a suggestion "I think you can do better than that"
Mark, I think I we're on the same page here. 

You've hit on another hard problem: password strength. I only know of three classes of passwords: "good", "not terrible", and "terrible".

Here are some examples:

Good: @7]FzqFD$NU!Z"+.'ykL
Not terrible: goodstuff1!
Terrible: password

Classifying terrible passwords is not too hard. Getting those people to use at least "not terrible" passwords would be a win, but I'm not confident we can. Many of the world's passwords are probably in the "not terrible" category, and it's less clear what to do there.
+1 I really like the feature, however would we hijack/overwrite the website's own password generator if they already have one?
We actually ought to offer a password generator on all platforms, not just Android. Desktop in particular would benefit. Yes, there are password managers that can do it, but the experience is not seamless, and we need creating good passwords to be seamless to ensure that people actually *do* it.
We have completed our launch of our new Firefox on Android. The development of the new versions use GitHub for issue tracking. If the bug report still reproduces in a current version of [Firefox on Android nightly](https://play.google.com/store/apps/details?id=org.mozilla.fenix) an issue can be reported at the [Fenix GitHub project](https://github.com/mozilla-mobile/fenix/). If you want to discuss your report please use [Mozilla's chat](https://wiki.mozilla.org/Matrix#Connect_to_Matrix) server https://chat.mozilla.org and join the [#fenix](https://chat.mozilla.org/#/room/#fenix:mozilla.org) channel.
Status: NEW → RESOLVED
Closed: 3 years ago
Resolution: --- → INCOMPLETE
Product: Firefox for Android → Firefox for Android Graveyard
You need to log in before you can comment on or make changes to this bug.