Open Bug 1118400 Opened 6 years ago Updated 2 years ago
[Tracking] Password Manager Security
Master tracking bug for all Password Manager security issues. Adding some existing bugs here. Will file more and do a clean up of the below (to resolve duplicates) 759860, 534541 - Don't autofill username and password 748193 - Add a warning for insecure password fields 653132, 443345 - Secure Filling
Bug 360493 - check the form action's hostname hasn't changed from the time you saved the password. This was an issue with sites that reflected user generated content and allowed their users to inject <form> element. This was fixed, adding it as a dependent here for completeness.
Component: Security → Password Manager
Product: Core → Toolkit
Bug 1118511 - Don't autofill username and password Bug 748193 - Add a warning for insecure password fields (in general) Bug 1118558 - Add a warning for insecure password fields in the saved logins UI Bug 1118540 - Secure Filling Bug 1118549 - Encrypting passwords stored by the Password Manager Bug 1118553 - Flag duplicate passwords in Password Manager UI Bug 360493 - Use the hostname of form action as part of the key when saving passwords (already done)
Summary: Password Manager Security → [Tracking] Password Manager Security
I'm appending this to our Password Manager 2015 tracking bug, to give people working on that visibility into what sort of security improvements we're thinking about.
You need to log in before you can comment on or make changes to this bug.