1209267 - In the saved passwords column, make all the masked passwords eleven characters long

Status: RESOLVED WONTFIX

(Thunderbird :: Preferences, defect)

Description

[Ryan Feeley [:rfeeley]]

We shouldn't use a small number of characters to represent a password, and using some password strength indicators, it looks like entropy shoots through the roof at 11 characters.

•••••••••••
•••••••••••
•••••••••••
•••••••••••
•••••••••••
•••••••••••
•••••••••••
•••••••••••
•••••••••••

It looks good to my eyes.

Comment 1

[Tony Mechelynck [:tonymec]]

Do you mean, "we should not allow passwords of 10 characters or less, for any host on the Internet"? I'm afraid that would be unrealistic.

Comment 2

[Ryan Feeley [:rfeeley]]

Not at all, it's simply about showing (and implicitly recommending) an archetypical password length. Eight characters (what Apple shows) used to be considered a decent password.

Comment 3

[Tony Mechelynck [:tonymec]]

Ah, OK. Isn't the Firefox Password Manager like SeaMonkey's, where the passwords are not displayed at all by default, unless you click "Show passwords" then answer "Yes" to an are-you-sure dialog?

Comment 4

[Tony Mechelynck [:tonymec]]

(In reply to Tony Mechelynck [:tonymec] from comment #3)
> Ah, OK. Isn't the Firefox Password Manager like SeaMonkey's, where the
> passwords are not displayed at all by default, unless you click "Show
> passwords" then answer "Yes" to an are-you-sure dialog?

I found the answer to that one: The Firefox password manager frontend was changed in bug 1121291.

Comment 6

[Frankie]

Note that this is a trivial (but nonzero) information disclosure to shoulder surfers (after you've already entered your master password once to display the dialog).

Also, did you know that you can Sort By password, even when they're displayed as dots? Length + alphabetization can reveal password re-use.

Comment 7

[Matthew N. [:MattN]]

[Tracking Requested - why for this release]: See comment 6

Comment 8

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Another one in passwords manager for 44.

Comment 9

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Ryan, Matt: I am trying to follow up on 44+ tracked bugs. Is this something that we plan to fix in 44? I am still in the early part of Beta44 cycle and would be happy to take a patch if it is ready in the next 7-10 days. Thanks!

Comment 10

[Ryan Feeley [:rfeeley]]

I'm just the UX designer, so I want everything now, so I may not be the right person to ask.

Comment 11

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

(In reply to Ryan Feeley [:rfeeley] from comment #10)
> I'm just the UX designer, so I want everything now, so I may not be the
> right person to ask.

Thanks Ryan! Who might I ping from the dev team to get someone to look at this bug? Any help is appreciated.

Comment 12

[Tony Mechelynck [:tonymec]]

(In reply to Ritu Kothari (:ritu) from comment #11)
> (In reply to Ryan Feeley [:rfeeley] from comment #10)
> > I'm just the UX designer, so I want everything now, so I may not be the
> > right person to ask.
> 
> Thanks Ryan! Who might I ping from the dev team to get someone to look at
> this bug? Any help is appreciated.

see https://wiki.mozilla.org/Modules then either (your choice) 'Toolkit" to get only that, or "All in one big list" followed by "Toolkit" to get the Toolkit developers within the context of all developers.

Within Toolkit, I'm not sure who specializes in the Password Manager. Maybe the Toolkit "owner" for a policy decision, or else one or other of the "peers" if you have a patch which needs a second pair of eyes before being checked-in. (At Mozilla, at least one person other than the patch author, and knowing the relevant Component, must have passed a patch, any patch, before it can be checked-in.)

You might try clicking "(show other bugs)" next to [Password Manager ▼] in this bug's header. This will give you a list of bugs for this same Product/Component. See who seems to be doing reviews for them, or at least from whom reviews have been requested. If none of them has patches, modify the bug search to search "Resolution=FIXED" bugs instead of open ("Resulution=---") ones, and be sure to set a time limit: 6 months (from -180d to Now) should be ample, maybe even too much.

Comment 13

[Matthew N. [:MattN]]

(In reply to Ritu Kothari (:ritu) from comment #11)
> Who might I ping from the dev team to get someone to look at this bug?

This is an easy bug to fix but bug 1208145 is more important and will change how the password masking will work so that's why I was ignoring this bug for now. Maybe whoever takes bug 1208145 could finish this after?

Comment 14

[Ritu Kothari (:ritu) (Inactive, please n-i to RyanVM, jcristau, or pascal)]

Given that we are a week away from RC, this does not seem release blocking to me. wontfix for Fx44, carrying the tracking flag forward to Fx45.

Comment 15

[Sylvestre Ledru [:Sylvestre]]

Same for 45...

Comment 16

[Matthew N. [:MattN]]

This is getting fixed by the patch in bug 1257078.

Comment 17

[Alex Vincent [:WeirdAl]]

FYI, bug 1508165 is removing password tree column support for XUL trees. Per discussion in https://phabricator.services.mozilla.com/D48573 , I'm inclined to say if this feature is still desirable, you may have to add it back in.

Comment 18

[Richard Marti (:Paenglab)]

Jörg, Magnus, see comment 17. Without a password field in our password dialog the dialog is probably useless. We need to look how this looks without this field and decide.

Comment 19

[Richard Marti (:Paenglab)]

We have no masked password field in TB and the removal of the treecol[type="password"] doesn't make problems.

Closing this bug as WONTFIX