Open
Bug 1408427
Opened 7 years ago
Updated 9 months ago
Enforce minimum master password complexity
Categories
(Toolkit :: Password Manager, defect, P5)
Toolkit
Password Manager
Tracking
()
UNCONFIRMED
People
(Reporter: mishra.dhiraj95, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0
Build ID: 20170921064520
Steps to reproduce:
Product:
Name Firefox
Version 52.4.0
Build ID 20170921064520
Actual results:
There is no password complexity set for Master password in about:preferences#security , Because I was able to set my password like 123,123456,www, admin etc which is really common, apart from that we can use spaces as well in master password i was able to set space as my master password :/
Expected results:
Recommendation - Provide robust rules including upper lower letters, special characters etc..
Updated•7 years ago
|
Group: firefox-core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Version: 52 Branch → unspecified
Comment 1•7 years ago
|
||
Hi, thanks for the report! Bug 973759 has some interesting background reading. The TL;DR is that master password already uses weak encryption; unlike OS-level crypto, master password is mostly designed to deter casual snooping. It doesn't protect well against brute forcing.
See Also: → 973759
Comment 2•7 years ago
|
||
There is already a password quality meter on the MP change dialog and for the cases where it's used to prevent casual snooping (or on mobile) then a trivial MP may be sufficient.
Priority: -- → P5
Summary: Master Password, weak password policy → Enforce minimum master password complexity
Comment 3•7 years ago
|
||
If we're going to let the user choose "no password" (or really, a master password of "") then onerous complexity rules only discourage MP use. A quality meter is great, maybe even a confirmation prompt for particularly weak ones (text that says "a hacker could crack this in X minutes" or something?) is educational and OK as a one-time nag, but flat out preventing weak passwords which are strictly better than the default "" is not good. If users satisfy the complexity rules but then forget their master password and lose everything they will be super pissed.
Updated•3 years ago
|
Blocks: primary-password
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•