Open Bug 1118553 Opened 9 years ago Updated 8 months ago

Flag duplicate/reused passwords in Password Manager UI

Categories

(Firefox :: about:logins, enhancement, P3)

Product:
Firefox
Component:
about:logins
Type:
enhancement

Tracking

()

People

(Reporter: tanvi, Unassigned)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

(Whiteboard: [fxcm-productive-ux])

User Story

• Discuss definition of re-use
• Implement design spec for Reused Passwords Banner Notification
• Learn more link to SUMO page
• update sidebar icon (and tooltip)

Invision spec: https://mozilla.invisionapp.com/share/BEU7ZBJ486Y

Attachments

(3 files)

what-safari-does.png
52.38 KB, image/png
Details
passwords-reused-16.svg
1.18 KB, image/svg+xml
Details
passwords-reused-24.svg
840 bytes, image/svg+xml
Details 
Password reuse is a big problem on the web and causes numerous account compromises.  Users use the same password for the survey site they used one time and their bank account.  If an attacker can compromise one, they can compromise the other.

If a user has saved the same password on multiple sites, perhaps we can somehow flag this in the Password Manager interface.  Particularly if the same password is being used on an HTTP page and an HTTPS page.  Since the former can be read in cleartext, it exposes the later to compromise.
Blocks: 1118400
OS: Mac OS X → All
Hardware: x86 → All
Don't get too naggy about it though. I have 30-ish legitimate instances of my mozilla LDAP password. Even "same eTLD+1" heuristics will get the recommendation wrong because there's a mix of mozilla.ORG and .COM sites, as well as the completely different mozilla.okta.com and mozilla.service-now.com
Whiteboard: [passwords:management]
Severity: normal → enhancement
Priority: -- → P5
Blocks: 1220617
Attached image what-safari-does.png

For reference, what Safari does in Preferences › Passwords.

Component: Password Manager → about:logins
Product: Toolkit → Firefox
Version: unspecified → Trunk

Mass removing [skyline] and [passwords:management] from about:logins bugs which are no longer useful.

Whiteboard: [passwords:management]
User Story: (updated)
Flags: qe-verify+
Priority: P5 → P2
Blocks: 1565326
No longer blocks: 1220617
Attached image passwords-reused-16.svg
Attached image passwords-reused-24.svg
Summary: Flag duplicate passwords in Password Manager UI → Flag duplicate/reused passwords in Password Manager UI
Depends on: 1120684
Priority: P2 → P3

I love the design specs in invisionapp! It looks really cool! I'd love to take on this issue. Would there be anyone open to mentoring this bug (it's totally fine if there isn't--just curious)?

:gliu20 I'd be happy to help with mentoring and there are some other ideas that we need to implement to make that UI much better. The Invision link is a bit old now, there are few elements that will be different.

Hey, sorry for the delay! I've been looking through the source code and trying to understand how the password manager works internally, and what might need to change. I think I'll start out with an initial prototype / mvp first which might take a while.

Severity: normal → S3
Whiteboard: [fxcm-productive-ux]
You need to log in before you can comment on or make changes to this bug.