1119507 - [meta] Revisit how the password manager captures and fills login credentials during password reset flows

Status: RESOLVED WORKSFORME

(Toolkit :: Password Manager, task)

Description

[Chris Karlof [:ckarlof]]

When a user resets her password, it's often because she forgot it. If we don't work properly to help her remember her new password, it can be a big disappointment. 

Password reset flows are unique. First, it usually involves some separate verification step (e.g., challenge questions, email verification). Then the user often chooses her new password on a page where we doesn't re-enter her username.

Some of the challenges:

* We likely need to associate the new password with a username, so we need some alternate mechanism for the user to provide it, or we need to guess it.
* Sometimes when a "lone password" field appears, the user will want us to fill it (i.e., she is not in a password reset flow, but some re-authentication step), so we need some way to distinguish these two cases (login vs. reset), or at the very least, don't screw things up too badly.

Comment 1

[Alexander Jones]

Related to 1164798: 

The password manager should probably not fill out password fields in the absence of a username field of some sort. 

In particular if the password has a username associated with it for a website, and no field is present to place that username in on a page requesting a password, the first password field should not be autofilled.

In a case where your password is required to change your password, this makes anyone with physical access to that machine able to change the password for a user, save the change, and then log in from a different machine without the knowledge of the user who has saved their password in firefox.

Comment 2

[Chris Karlof [:ckarlof]]

> The password manager should probably not fill out password fields in the absence of a username field of some sort. 


FWIW, the fact that it does fill out lone password fields lets us work at all on two stage logins such as BofA, Vanguard, and other financial sites.

Comment 3

[Alexander Jones]

I'm sure the answer's not as simple as only having the password manager auto-complete when a single password input is detected on the page, but I'm going to state it just in-case it is.

Would it be possible to honor autocomplete='off' when there are multiple inputs with a password type on the page?

Comment 4

[BugBot [:suhaib / :marco/ :calixte]]

The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:sfoster, maybe it's time to close this bug?

Comment 5

[Sam Foster [:sfoster] (he/him)]

(In reply to Release mgmt bot [:sylvestre / :calixte / :marco for bugbug] from comment #4)

The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:sfoster, maybe it's time to close this bug?

We covered some of this in bug 1576490, and earlier in bug 1119063. There is no current plan to do more here but the task remains valid. I think we should keep it open at least until we have new product input and a roadmap for the component.

Comment 6

[BugBot [:suhaib / :marco/ :calixte]]

The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:sfoster, maybe it's time to close this bug?

Comment 7

[Sam Foster [:sfoster] (he/him)]

I think comment 5 still applies here.

Comment 8

[BugBot [:suhaib / :marco/ :calixte]]

The meta keyword is there, the bug doesn't depend on other bugs and there is no activity for 12 months.
:serg, maybe it's time to close this bug?

Comment 9

[Sergey Galich [:serg]]

Nothing actionable here at the moment.