Closed Bug 124849 Opened 23 years ago Closed 23 years ago

Password manager should not remember passwords at secure sites

Categories

(SeaMonkey :: Passwords & Permissions, defect)

Product:
SeaMonkey
Component:
Passwords & Permissions
Platform:
PowerPC
macOS
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED INVALID

People

(Reporter: pbergsagel, Assigned: morse)

References

(
URL
)

Details

From Bugzilla Helper: User-Agent: Mozilla/5.0 (Macintosh; U; PPC Mac OS X; en-US; rv:0.9.8) Gecko/20020204 BuildID: 0.9.8 (2002020411) Whjen I logged in to my bank's site the password manager filled in the password. This is wrong since on secure sites the password manager should be deactivated, shouldn't it? Is this the wrong behavior, since someone could gain access to my account if I leave the computer without loging out. Reproducible: Always Steps to Reproduce: 1.N.A. 2. 3. Actual Results: N.A. Expected Results: N.A. Mozilla should not use the password manager to automate loging in with password. This makes Mozilla insecure.
This is a duplicate of bug#124850
*** Bug 124850 has been marked as a duplicate of this bug. ***
a) You can should disable the password manager (completly or just for this page) if you are not sure that another user can use your System. b) You can enable the master password with a timeout c) You bank can add a special tag to the login form and mozilla will not use the password manager on that page.. This one should be invalid bug Mitchell Stoltz should decide...
I agree, both the user and the site can deactivate the password manager at will. Whether the site is SSL'd really has nothing to do with it. I recommend Invalid, but I'm reassigning to Steve Morse to get his opinion.
Assignee: mstoltz → morse
Status: UNCONFIRMED → NEW
Component: Security: General → Password Manager
Ever confirmed: true
That's three votes for invalid (including mine). Closing out as such.
Status: NEW → RESOLVED
Closed: 23 years ago
Resolution: --- → INVALID
My thoughts: if the password manager can be used at SSL sites should the default setting be foer the password manager to be disabled? I should not have to remeber to not use the password manager on secure sites. One solution is a popup menu detailing the risks of using the password manager with SSL sites and providing options to either disable the password manager or to use it. Some users will notrealize the associated risks. The default should be the highest security level. Another point: Can we rely on sites to code their pages properly to turn off the password manager? I believe it is best to enable the highest level of security (password manager not automatically enabled without a warning) as the default. Do we want Mozilla to be know as a browser not to use for ecommerce becuase of the way the password manager by default can automatically store passwords at SSL sites? If the password manager is left enabled at SSL sites the user could accidently store a password and have this password available to others (if the computer is left unattended and not logged out.) If the password manager is active by default, then a master password really should be manditory for security.
The password manager asks you whether or not to store a password every time it encounters a new site. The options are Yes, No, and 'Never for this site.' The user can decide for each site whether or not to store a password. It's really irrelevant whether the site in question is SSL or not - the content of the site and the value of the data being secured by the password are what's important, not whether the site uses SSL (although the two are probably closely correlated). We already do pretty much what you describe. As for whether we can trust sites to ask that passwords not be stored, what does it matter? You're already trusting your ecommerce sites not to publish your credit card number, give your password to other users, etc, either intentiaonally or because of sloppy programming. The site can do any such thing, and there's nothing the browser can do about it, so whether or not the site asks that passwords not be stored is irrelevant. Anyway, thank you for your concern, but I think we are doing the right thing with the password manager.
*** Bug 197657 has been marked as a duplicate of this bug. ***
I agree with the comment on showing a warning to make the user understand the risk of storing SSL sensitive password information within the browser's password manager. Some people just don't understand the extreme risks involved in storing this kind of sensitive information in a password manager. So, please add a comment to help the user understand that this is a secured site and that storing passwords for a secured site is risky since the site would not have been encrypted unless it were dealing with very personal information.
How can the web site disable the password manager?
Product: Browser → Seamonkey
Summary: Password manager should mot remember passwords at secure sites → Password manager should not remember passwords at secure sites
You need to log in before you can comment on or make changes to this bug.