Closed Bug 1296584 Opened 8 years ago Closed 2 years ago

Firefox should never ask to save the Firefox Account password


(Toolkit :: Password Manager: Site Compatibility, defect, P3)






(Reporter: rfeeley, Unassigned)


(Blocks 1 open bug)


Chromium provides a fantastic explanation as to why we should never store the FxA password in the saved passwords (or delete it if the user signs in to Sync). Should we follow suit?:

== Why doesn't the Password Manager save my Google password if I am using Chrome Sync? ==

In its default mode, Chrome Sync uses your Google password to protect all the other passwords in the Chrome Password Manager.

In general, it is a bad idea to store the credential that protects an asset in the same place as the asset itself. An attacker who could temporarily compromise the Chrome Password Manager could, by stealing your Google password, obtain continuing access to all your passwords. Imagine you store your valuables in a safe, and you accidentally forget to close the safe. If a thief comes along, they might steal all of your valuables. That’s bad, but imagine if you had also left the combination to the safe inside as well. Now the bad guy has access to all of your valuables and all of your future valuables, too. The password manager is similar, except you probably would not even know if a bad guy accessed it.

To prevent this type of attack, Chrome Password Manager does not save the Google password for the account you sync with Chrome. If you have multiple Google accounts, the Chrome Password Manager will save the passwords for accounts other than the one you are syncing with.
I'm going to mark this as blocking Bug 1206736, because fixing this bug would fix that bug.
Blocks: 1206736
Bug 1248765 has some discussion on this (and is where we allowed this password to be Synced)
Particularly Bug 1248765 Comment 2 has an example of a valid workflow where one might want to save the password.

Overall I'm -0 on this; I can see the security argument but I don't find it particularly compelling.  If an attacker can read the local profile store to get at the saved passwords, they can also read signedInUser.json and the FxA session data which will give them ongoing access to your synced passwords.  We have to store that *somewhere* so that the browser itself can sync.  So it's not obvious to me that just avoiding storage of the FxA password, would change the security properties of the system in a meaningful way.
Priority: -- → P3
FWIW this also seems like a UX concern to me? To nontechnical users being prompted to save their Sync password may be confusing since it's unclear that Sync will still remain connected to your account if you choose _not_ to save the password in the password manager.
Also, what's the argument for saving this in the first place? The only time I can think of that that would be useful is if you wanted to disconnect and then reconnect Sync, but that doesn't seem like it should happen that often.
Severity: normal → S3

We made an explicit decision to sync this and in the time this bug has been open there's been no movement on a decision to again prevent syncing it, so WONTFIX for now.

Closed: 2 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.