Master password prompt for sync should be distinct from the classic prompt




Password Manager
4 years ago
4 years ago


(Reporter: fl0, Unassigned)


34 Branch
Windows 7

Firefox Tracking Flags

(Not tracked)




4 years ago
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:34.0) Gecko/20100101 Firefox/34.0
Build ID: 20141020184313

Steps to reproduce:

I'm using FF 34 beta and it seems each time FF is booted and want to sync I've to type in my master password. This is great and I suppose it means my sync credentials are encrypted in some way :)
However this prompt is completely identical to the classic one and moreover when you go to manage your password you see that your credentials I've not been used (i.e. 'last use' of the FF account credentials doesn't follow the sync request)

Expected results:

So if the classic system is used to retrieve the sync credentials, it should be checked why the date displayed in last use doesn't match the last use for sync.
If another system is used, the pop up should specify it's about sync in order for the user to be able to understand this prompts and keep logic with the last use function of the password manager.


4 years ago
Component: Untriaged → Sync

Comment 1

4 years ago
After a little bit of test, it appears that after typing your master password into the sync prompt, the list of credentials stored in the password manager is accessible, meaning that this prompt is well linked to the password manager.
So I think the problem clearly comes from a bug in the way the password manager record the usage of the password in this specific scenario.

Comment 2

4 years ago
Richard, I have a hunch you might know more about what's up here. Can you nudge this bug in the right direction? Thanks!
Flags: needinfo?(rnewman)
Sync does indeed unlock your MP, and does so to retrieve credentials from pwmgr.

Both Sync 1.1 and 1.5 use Services.logins.findLogins to retrieve credentials. (See services/sync/modules/identity.js, services/fxaccounts/FxAccounts.jsm.)

Sounds like password manager doesn't have only one call path...
Component: Sync → Password Manager
Flags: needinfo?(rnewman)
Product: Firefox → Toolkit
Hardware: x86_64 → All
It's generally agreed among UX/Engineering/Product that we don't want to further develop the existing master password functionality, as it's a poor fit for current needs and our current direction in this area.
Last Resolved: 4 years ago
Resolution: --- → WONTFIX

Comment 5

4 years ago
Thank you for your answer but is there any official guidelines leading to this policy ?
As this subject, sometimes brought up here and is generally answered like this.

What are current needs according to the UX/Engineering/Product ?

I mean it's clearly good that persona  for example can solve the need for storing password but it's not like it's widely adopted.
You cannot deny that there is a need for high security password manager, as there are companies with this only product ?

Why don't throw some effort into keeping up to date an already existing system and offering every one of your users a high level a security ?

May be this functionality could be replaced by sync (as it seems "in your current direction") encrypting the whole profiles important data on the local storage ? and so offer an even higher level of security to your user?
You need to log in before you can comment on or make changes to this bug.