Closed Bug 1321508 Opened 8 years ago Closed 10 months ago

Only store master password in gnome-keyring

Categories

(Toolkit :: Password Manager, enhancement, P5)

Product:
Toolkit
Component:
Password Manager
Version:
50 Branch
Platform:
All
Linux
Type:
enhancement

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1636789

People

(Reporter: jhasse, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:50.0) Gecko/20100101 Firefox/50.0
Build ID: 20161129173726

Steps to reproduce:

Bug about integration with gnome-keyring: https://bugzilla.mozilla.org/show_bug.cgi?id=309807
Bug about protecting the master password: https://bugzilla.mozilla.org/show_bug.cgi?id=973759

The idea would be to *only* store the master password in the GNOME keyring. This way my saved passwords would be protected and I still wouldn't have to type in the master password every time I start Firefox.

Also see this issue of the GNOME Keyring extension: https://github.com/swick/mozilla-gnome-keyring/issues/38
Component: Untriaged → Password Manager
Depends on: 309807
OS: Unspecified → Linux
Product: Firefox → Toolkit
Hardware: Unspecified → All
Doesn't "depends on 309807" imply that this bug can only be fixed after #309807?

Seems like enhancement request rather than defect report. Very reasonable enhancement imho.

Type: defect → enhancement

It will be great to have an about:config entry for keeping command to obtain masterpassword. Let say, when it is empty, Firefox asks for masterpassword by default. But user can add specific command to make Firefox getting password in non-interactive manner, e. g. with gpg or pass or some system keyring CLI util. As a next step field may be set to specific default value depends on environment, e. g. to use password vault on Windows systems and libkeyring on GNU/Linux systems etc. Just an idea.

We are discussing improvements to master password which may include better integration with the OS.

Priority: -- → P5

I like to add support to the idea of allowing AT LEAST the master password to be stored in the system keyring.

Neither Firefox nor Thunderbird provide a convenient way any more to store password in the system keyring, which can be automatically unlocked at login (I use Gnome keyring on Xubuntu). It was possible before with add-ons, which unfortunately are not supported any more in either Firefox or Thunderbird. It was a reason for me to drop Firefox in favour of Chromium in the past (but I would prefer to use Firefox again in the future, but only with acceptable password storage).

For me it is a crucial usability requirement to have to enter my password only once (at login or to unlock a locked session), and then no more, and still have all passwords stored only encrypted on disk. Surely I do not want to enter a password again for Firefox, and then again for Thunderbird, and maybe again if I close any of those programs.

If the master password could be supplied on the command line to Firefox and Thunderbird, then this behaviour can be implemented with relative ease (as possible for the identical use case with KeePassXC, see keepassxreboot/keepassxc#1267 (comment)).

Native support by Lockwise of system keyrings would be much preferred to this, of course. It is somewhat hard to understand why such a key security feature is not implemented from the beginning - noting that usability pretty much equates to security, and now for sure loads of users don't use any password encryption due to the inconvenience just described.

Storage and retrieval of a randomly-generated master password using a system-dependent credentials manager such as GNOME Keyring would improve usability of Firefox without imposing the demand to develop alternative storage backends for website credentials.

The Linux version of Google Chromium currently stores website credentials in its own encrypted database, with an opaque master key placed in GNOME Keyring.

The same approach would be extremely sensible for Firefox, and would be the least costly to develop or to maintain among similar suggestions.

The current options, plaintext storage of sensitive credential data or password entry at application launch, are both unappealing from a standpoint of modern application design, user-interface expectations, and security constraints.

With the recent integration of Lockwise, this feature would appear to be a prime candidate for an early enhancement to that system.

Would it be possible to get an official statement on the issue of system keyring integration in Lockwise for the Master Password (or all passwords)? Further up in this thread, it says "We are discussing improvements to master password which may include better integration with the OS.".

I am following the issue for a while, essentially since the add-on that made keyring integration for me possible (mozilla-gnome-keyring) became unusable in Firefox, and recently also in Thunderbird. There has not been tangible progress in those years of native keyring integration.

I would much prefer to use Mozilla products, but this is a critical issue for me (I guess also for some other users), resulting in the (hopefully temporary) replacement of Firefox by Chromium and now of Thunderbird by Evolution (both support the keyring natively).

I think the Secret Storage specification of freedesktop.org makes implementing this easy for all Linux variants.

Why this integration is so important has been well summarized by another user in the context of KeaPassXC: https://github.com/keepassxreboot/keepassxc/issues/1404#issuecomment-510482344. But why use yet another password manager, if there is now Lockwise?

An official statement if and when Lockwise will support system keyrings, so a long term decision of which programs to use for web browsing and mail can be made. Naturally, one does not like to change those programs too often.

See Also: → 1636789
Severity: normal → S3
Status: UNCONFIRMED → RESOLVED
Closed: 10 months ago
Duplicate of bug: 1636789
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.