Closed Bug 1466512 Opened 7 years ago Closed 5 years ago

Policies: Make Master Password mandatory

Categories

(Firefox :: Enterprise Policies, enhancement, P3)

Product:
Firefox
Component:
Enterprise Policies
Version:
60 Branch
Type:
enhancement

Tracking

()

Status:
RESOLVED FIXED
Milestone:
Firefox 79
Tracking Flags:
Tracking Status
firefox-esr78 --- fixed
firefox79 --- fixed

People

(Reporter: narutards, Assigned: mkaply)

Details

Attachments

(3 files)

Bug 1466512 - Add a policy for forcing a master password. r?MattN
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review
Bug 1466512 - Update about:logins to support MasterPassword policy. r?jaws
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review
Bug 1466512 - Update LoginManagerPrompter to support MasterPassword policy. r?MattN
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-esr78+
Details | Review
At the moment I have the "Offer to save logins" policy set to disabled, which in turn means that I cannot save logins and passwords. This policy was put in place because our security guy does not want the passwords to be stored in (virtually) plain text, so without a master password. The same settings are in place for IE and Google Chrome. He did tell me that I could allow users to save their passwords in Firefox _IF_ I could make it so that the master password is mandatory. Sadly there is no such option at this point in time. Would it be possible for you to add such a policy that would enable the master password option, make it mandatory (so users cannot disable it) and require the user to set a master password on first start (after the policy has been applied)? That would be greatly appreciated.
In theory we could, but the first run experience would be bad.. And first run is already a critical moment with other things being shown to the user.. A different approach would be to add an option to Firefox that makes the option "Ask to save logins and passwords" only respected if there's a master password in place. This would probably be simpler to implement and lead to a nicer experience. And we would create a policy just to enforce this setting.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Assignee: nobody → mozilla
Status: NEW → ASSIGNED

I agree the user experience won't be great, but we've had multiple requests for this and I think we can use what we have.

Rather than first start, could it be part of the first (and any subsequent until the password is set) attempt to save credentials?
Something less wordy than this, but like this: "Your organization requires a master password be set to encrypt credentials before they can be saved: (Set one now and save / Not now / Don't ask to save in the future)"

I'll see how straightforward that would be. The problem is there are quite a few places where passwords can be saved.

Master password will probably be going away completely soon with the new Lockbox stuff so I'm not sure how much I want to invest in it.

Attachment #9140568 - Attachment description: Bug 1466512 - Add a policy for forcing a master password. r?keeler → Bug 1466512 - Add a policy for forcing a master password. r?MattN
Pushed by mozilla@kaply.com: https://hg.mozilla.org/integration/autoland/rev/44c03736a07a Add a policy for forcing a master password. r=fluent-reviewers,MattN,flod https://hg.mozilla.org/integration/autoland/rev/dfc7af8d8ed6 Update about:logins to support MasterPassword policy. r=jaws https://hg.mozilla.org/integration/autoland/rev/a55f2483d39e Update LoginManagerPrompter to support MasterPassword policy. r=MattN

https://hg.mozilla.org/mozilla-central/rev/44c03736a07a
https://hg.mozilla.org/mozilla-central/rev/dfc7af8d8ed6
https://hg.mozilla.org/mozilla-central/rev/a55f2483d39e

Status: ASSIGNED → RESOLVED
Closed: 5 years ago
status-firefox79: --- → fixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 79

Comment on attachment 9140568 [details]
Bug 1466512 - Add a policy for forcing a master password. r?MattN

ESR Uplift Approval Request

  • If this is not a sec:{high,crit} bug, please state case for ESR consideration: New policy
  • User impact if declined: Unable to use new MasterPassword policy.
  • Fix Landed on Version: 79
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Lots of tests, has baked a while.
  • String or UUID changes made by this patch: String for policy decription (policy specific l10n is pre approved)
Attachment #9140568 - Flags: approval-mozilla-esr78?
Attachment #9152802 - Flags: approval-mozilla-esr78?
Attachment #9152844 - Flags: approval-mozilla-esr78?

Comment on attachment 9140568 [details]
Bug 1466512 - Add a policy for forcing a master password. r?MattN

Approved for 78.1esr.

Attachment #9140568 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Attachment #9152802 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
Attachment #9152844 - Flags: approval-mozilla-esr78? → approval-mozilla-esr78+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: