Open Bug 1408427 Opened 7 years ago Updated 9 months ago

Enforce minimum master password complexity

Categories

(Toolkit :: Password Manager, defect, P5)

defect

Tracking

()

UNCONFIRMED

People

(Reporter: mishra.dhiraj95, Unassigned)

References

(Blocks 1 open bug)

Details

User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:52.0) Gecko/20100101 Firefox/52.0 Build ID: 20170921064520 Steps to reproduce: Product: Name Firefox Version 52.4.0 Build ID 20170921064520 Actual results: There is no password complexity set for Master password in about:preferences#security , Because I was able to set my password like 123,123456,www, admin etc which is really common, apart from that we can use spaces as well in master password i was able to set space as my master password :/ Expected results: Recommendation - Provide robust rules including upper lower letters, special characters etc..
Group: firefox-core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Version: 52 Branch → unspecified
Hi, thanks for the report! Bug 973759 has some interesting background reading. The TL;DR is that master password already uses weak encryption; unlike OS-level crypto, master password is mostly designed to deter casual snooping. It doesn't protect well against brute forcing.
See Also: → 973759
There is already a password quality meter on the MP change dialog and for the cases where it's used to prevent casual snooping (or on mobile) then a trivial MP may be sufficient.
Priority: -- → P5
Summary: Master Password, weak password policy → Enforce minimum master password complexity
If we're going to let the user choose "no password" (or really, a master password of "") then onerous complexity rules only discourage MP use. A quality meter is great, maybe even a confirmation prompt for particularly weak ones (text that says "a hacker could crack this in X minutes" or something?) is educational and OK as a one-time nag, but flat out preventing weak passwords which are strictly better than the default "" is not good. If users satisfy the complexity rules but then forget their master password and lose everything they will be super pissed.
Severity: normal → S3
Duplicate of this bug: 1856978
You need to log in before you can comment on or make changes to this bug.