Closed
Bug 1489144
Opened 7 years ago
Closed 1 year ago
Encrypt passwords with a machine-specific key, rather than with a static passphrase, by default
Categories
(Toolkit :: Password Manager, enhancement, P3)
Tracking
()
RESOLVED
INVALID
People
(Reporter: gdcalonder, Unassigned)
References
Details
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:61.0) Gecko/20100101 Firefox/61.0
Build ID: 20180807170231
Steps to reproduce:
Copied the Profile from the AppData Folder to a external medium. Than i've copied my Profile to the Desktop and insertet the copied profile to the Profile Folder. Aftet that i've copied the Name of the Folder and renamed the copied folder.
Actual results:
I've opend the settings and it was possible for me, to read out all safed passwords.
Expected results:
It shut block that, because the Programm dosen't can read the File.
|
||
Comment 1•7 years ago
|
||
This is about the architecture of our password manager, so there's no point keeping the bug hidden.
For now, keeping your machine safe (and setting a master password) is the best defense against these attacks.
Group: firefox-core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Summary: safed undecrypted passwords can be read out → Encrypt passwords with machine-specific key and/or store them in OS store instead of on-disk without encryption
|
||
Comment 3•7 years ago
|
||
I won't say it's a dup because bug 1486954 is about storing credit cards.
We may want to tie passwords to OS key store at some point, but I am not sure about when.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Flags: needinfo?(timdream)
|
|
||
Comment 4•7 years ago
|
||
There is also a fact that manually moving the profile around has been something that works since ... Mozilla Suite? Implementing this means breaking that use case.
Why you not can simply insert a unknown Paassword to protect the data so that the users dosent have to know and insert that, but that is stored somewhere outside the Porifile of the user, and when he want use Password can he use that, and the other wud be deletet?
|
||
Updated•7 years ago
|
Severity: normal → enhancement
Depends on: 1464828
Keywords: dupeme
Priority: -- → P3
Summary: Encrypt passwords with machine-specific key and/or store them in OS store instead of on-disk without encryption → Encrypt passwords with a machine-specific key, rather than with a static passphrase, by default
|
||
Updated•3 years ago
|
Severity: normal → S3
|
||
Comment 6•1 year ago
|
||
Primary Password is the right tool to protect data on disk.
It's can be seen as storing a unique password outside of Profile folder in the user's head. We may start storing it in OS keystore.
Status: NEW → RESOLVED
Closed: 1 year ago
Resolution: --- → INVALID
You need to log in
before you can comment on or make changes to this bug.
Description
•