Show password generation UI on `autocomplete="new-password"` fields
Categories
(Toolkit :: Password Manager, enhancement, P2)
Tracking
()
People
(Reporter: MattN, Assigned: MattN)
References
(Blocks 2 open bugs)
Details
(Whiteboard: [passwords:generation] [skyline])
User Story
* `signon.generation.enabled` is the user pref to enable/disable the feature from about:preferences (not implemented yet). * `signon.generation.available` controls whether the feature is available for users (e.g. if the about:preferences UI should show). https://www.facebook.com is a popular site that uses autocomplete="new-password" for its registration form. Thousands of other test sites: https://docs.google.com/spreadsheets/d/1tKNeZh9SP3QBj5-X9O6QA6FddZpHY4qH7rHcn6LkTtI/edit#gid=1841286414
Attachments
(10 files)
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
47 bytes,
text/x-phabricator-request
|
Details | Review | |
145.24 KB,
image/png
|
Details |
If an <input>
has autocomplete="new-password"
, we have a strong signal that password generation is relevant for the field and so we should offer it to the user.
Assignee | ||
Comment 1•5 years ago
|
||
Mike, could you help us query httparchive data to understand the impact this could have? The query could be the following (in standard SQL):
SELECT page, url FROM `httparchive.response_bodies.2019_04_01_desktop`
WHERE REGEXP_CONTAINS(body, r'autocomplete=[\'"]?new-password[\'"]?')
ORDER BY url;
Thank you
Comment 2•5 years ago
|
||
Here you go, https://docs.google.com/spreadsheets/d/1nCZ8QulQdk_whqNtun2kEL64kjhJfw8IdtdOglrr1_w/edit#gid=1841286414
Assignee | ||
Comment 3•5 years ago
|
||
Awesome, thank you!
Assignee | ||
Comment 4•5 years ago
|
||
(In reply to Mike Taylor [:miketaylr] from comment #2)
Here you go, https://docs.google.com/spreadsheets/d/1nCZ8QulQdk_whqNtun2kEL64kjhJfw8IdtdOglrr1_w/edit#gid=1841286414
My fork with additional columns is here: https://docs.google.com/spreadsheets/d/1tKNeZh9SP3QBj5-X9O6QA6FddZpHY4qH7rHcn6LkTtI/edit#gid=1841286414
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 5•5 years ago
|
||
Assignee | ||
Comment 6•5 years ago
|
||
Depends on D31205
Assignee | ||
Comment 7•5 years ago
|
||
Depends on D31206
Assignee | ||
Comment 8•5 years ago
|
||
We don't need to use JSON since we now support getCommentAt for extra data.
Also add unit tests that are missing.
Depends on D31207
Assignee | ||
Comment 9•5 years ago
|
||
Depends on D31208
Assignee | ||
Comment 10•5 years ago
|
||
Depends on D31209
Assignee | ||
Comment 11•5 years ago
|
||
Depends on D31210
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Updated•5 years ago
|
Updated•5 years ago
|
Assignee | ||
Comment 12•5 years ago
|
||
Depends on D31211
Assignee | ||
Comment 13•5 years ago
|
||
Depends on D31575
Assignee | ||
Updated•5 years ago
|
Comment 14•5 years ago
|
||
Pushed by mozilla@noorenberghe.ca: https://hg.mozilla.org/integration/autoland/rev/426750b88fc2 Add prefs to release and enable password generation. r=sfoster https://hg.mozilla.org/integration/autoland/rev/fde90ccfb570 Generate and cache a password for autocomplete="new-password" password fields. r=sfoster https://hg.mozilla.org/integration/autoland/rev/e0cf735bdcf5 LoginManagerParent.doAutocompleteSearch/getGeneratedPassword tests. r=sfoster https://hg.mozilla.org/integration/autoland/rev/1e2300b95a59 Simplify login autocomplete footer result to avoid JSON. r=sfoster https://hg.mozilla.org/integration/autoland/rev/60ff6e363acf Password Generation Autocomplete Result. r=sfoster https://hg.mozilla.org/integration/autoland/rev/cddbcd92ec10 Make a generic two-line autocomplete richlistitem element. r=sfoster https://hg.mozilla.org/integration/autoland/rev/38e35b6d8d80 Password generation autocomplete UI. r=sfoster https://hg.mozilla.org/integration/autoland/rev/738ce5e88e05 Simplify test_autocomplete_new_password and use more common patterns. r=sfoster https://hg.mozilla.org/integration/autoland/rev/0e7d8f96bf12 Tests for the password generation autocomplete UI. r=sfoster
Comment 15•5 years ago
|
||
Backed out 9 changesets (bug 1548381) for XPCShell failures in toolkit/components/passwordmgr/test/unit/test_LoginManagerParent_doAutocompleteSearch.js
Log:
https://treeherder.mozilla.org/logviewer.html#/jobs?job_id=247446655&repo=autoland&lineNumber=2961
Push with failures:
https://treeherder.mozilla.org/#/jobs?repo=autoland&revision=0e7d8f96bf123f5d0f491fe7780223bde509e841
Backout:
https://hg.mozilla.org/integration/autoland/rev/2690e619a493a6730d6318589405aa2e229ba5c3
Assignee | ||
Comment 16•5 years ago
|
||
I forgot to skip the tests on Android where the generation JSM isn't packaged.
Comment 17•5 years ago
|
||
Pushed by mozilla@noorenberghe.ca: https://hg.mozilla.org/integration/autoland/rev/7b82d533e37e Add prefs to release and enable password generation. r=sfoster https://hg.mozilla.org/integration/autoland/rev/c1beb9ce876d Generate and cache a password for autocomplete="new-password" password fields. r=sfoster https://hg.mozilla.org/integration/autoland/rev/e79711ad9ef5 LoginManagerParent.doAutocompleteSearch/getGeneratedPassword tests. r=sfoster https://hg.mozilla.org/integration/autoland/rev/c5b9ba215f49 Simplify login autocomplete footer result to avoid JSON. r=sfoster https://hg.mozilla.org/integration/autoland/rev/1433d315b1b7 Password Generation Autocomplete Result. r=sfoster https://hg.mozilla.org/integration/autoland/rev/e92a0032aa2a Make a generic two-line autocomplete richlistitem element. r=sfoster https://hg.mozilla.org/integration/autoland/rev/2a70e4e43c5e Password generation autocomplete UI. r=sfoster https://hg.mozilla.org/integration/autoland/rev/34bbe924602e Simplify test_autocomplete_new_password and use more common patterns. r=sfoster https://hg.mozilla.org/integration/autoland/rev/b74e5737da64 Tests for the password generation autocomplete UI. r=sfoster
Comment 18•5 years ago
|
||
bugherder |
https://hg.mozilla.org/mozilla-central/rev/7b82d533e37e
https://hg.mozilla.org/mozilla-central/rev/c1beb9ce876d
https://hg.mozilla.org/mozilla-central/rev/e79711ad9ef5
https://hg.mozilla.org/mozilla-central/rev/c5b9ba215f49
https://hg.mozilla.org/mozilla-central/rev/1433d315b1b7
https://hg.mozilla.org/mozilla-central/rev/e92a0032aa2a
https://hg.mozilla.org/mozilla-central/rev/2a70e4e43c5e
https://hg.mozilla.org/mozilla-central/rev/34bbe924602e
https://hg.mozilla.org/mozilla-central/rev/b74e5737da64
Comment 19•5 years ago
|
||
+1
Great move!
Assignee | ||
Updated•5 years ago
|
Comment 20•5 years ago
|
||
The first real website I have found with the requirements mentioned is www.yahoo.com. It appears that the "New Password" field has the attribute autocomplete="new-password", as the bug title suggests.
I have attempted to click inside the field and to trigger the password generator UI, but I had no luck. Can you explain how I can verify this implementation?
Tests were done on Nightly v69.0a1 (2019-05-23) (64-bit).
Assignee | ||
Comment 21•5 years ago
|
||
(In reply to Bodea Daniel [:danibodea] from comment #20)
Created attachment 9067057 [details]
how is it supposed to work.pngThe first real website I have found with the requirements mentioned is www.yahoo.com. It appears that the "New Password" field has the attribute autocomplete="new-password", as the bug title suggests.
I have attempted to click inside the field and to trigger the password generator UI, but I had no luck. Can you explain how I can verify this implementation?
Did you read the user story? It has 2 prefs to flip and lists Facebook as another test site. Btw. there is a list of thousands of sites you can test in comment 4 (which I now added to the User Story).
Comment 22•5 years ago
|
||
FYI:
Accessible
My fork with additional columns is here: https://docs.google.com/spreadsheets/d/1tKNeZh9SP3QBj5-X9O6QA6FddZpHY4qH7rHcn6LkTtI/edit#gid=1841286414
Not accessible without Google login.
Assignee | ||
Comment 23•5 years ago
|
||
(In reply to Ben Bucksch (:BenB) from comment #22)
My fork with additional columns is here: https://docs.google.com/spreadsheets/d/1tKNeZh9SP3QBj5-X9O6QA6FddZpHY4qH7rHcn6LkTtI/edit#gid=1841286414
Not accessible without Google login.
Thanks, I didn't realize the other one was public so that's why I didn't make mine public. It's fixed now.
Comment 24•5 years ago
•
|
||
Hey, Matt. Sorry if I wasn't professional enough. For some reason, I haven't noticed the information in the user story. If I am to explain, I can't always read every little bit of info because, sometimes, most of it means nothing to me and my filtering skill are still evolving. Please bear with me. Things that I normally deduce in 10-15 minutes probably take you 1 or 2 to read and answer.
In other, more important notes, I have tested the first 15 top sites of 2019 and these are my results:
-
Google/Youtube - the password generation UI appears and functions quite well;
-
Yahoo: the password generation UI appears and functions quite well;
-
Pinterest: the password generation UI appears and functions quite well;
-
Facebook: the password generation UI does not appear (probably because the autocomplete attribute has the value "off", not "new-password")
-
Amazon: the password generation UI does not appear (probably because the autocomplete attribute is missing altogether)
-
Wikipedia: the password generation UI does not appear (probably because the autocomplete attribute is missing altogether)
-
Twitter: the password generation UI does not appear (probably because the autocomplete attribute is missing altogether)
-
Microsoft/Bing/MSN: the password generation UI does not appear (probably because the autocomplete attribute is missing altogether)
-
eBay: the password generation UI does not appear (probably because the autocomplete attribute has the value "off", not "new-password")
-
Linkedin: the password generation UI does not appear (probably because the autocomplete attribute is missing altogether)
On the note of the feature's functionality, this is what I have discovered:
- left clicking in the "New password" or "Confirm new password" fields, opens the Password Manager's suggestions drop-down.
- the drop-down displays: the saved logins for this site, "Use Generated Password" option with the password visible under it and the "View Saved Logins" button.
- selecting the "Use Generated Password" option will fill the field with the password shown on the option.
- the user then has the option to fill the same generated password in the "Confirm New Password" field by the same method.
On the downside:
- after ticking the "Show Password" checkbox, the Password Manager suggestions drop-down will no longer display. (intended?)
- after selecting the generated password and saving the password change, the password manager will prompt to save the newly changed password, but the username is left blank (on websites that the username is entered in the previous screen, like Yahoo).
- if the user then chooses to change his password again, it can be noticed that the same password is displayed by the password generator.
Please verify it if the functionality is as expected, NI me if further testing is needed, along with more information on how to proceed.
Thank you and sorry if I have created any kind of frustration.
Assignee | ||
Updated•5 years ago
|
Assignee | ||
Comment 25•5 years ago
|
||
(In reply to Bodea Daniel [:danibodea] from comment #24)
On the downside:
- after ticking the "Show Password" checkbox, the Password Manager suggestions drop-down will no longer display. (intended?)
You mean that if you toggle the checkbox in the doorhanger, you no longer see suggestions in the webpage? It's not expected to see a dropdown from the doorhanger field itself.
- after selecting the generated password and saving the password change, the password manager will prompt to save the newly changed password, but the username is left blank (on sides the username is entered in the previous screen, like Yahoo).
This is now improved in Nightly. The auto-saved login is without a username but the doorhanger should include the username and choosing to "Update" should add it in storage.
- if the user then chooses to change his password again, it can be noticed that the same password is displayed by the password generator.
Yeah, that is expected for now. Bug 1551723 and bug 1569568 will provide a way to request a new generated password. For now they last for the whole session for the same principal (origin + origin attributes [private browsing, container]).
Comment 26•5 years ago
|
||
(In reply to Matthew N. [:MattN] (PM me if requests are blocking you) from comment #25)
(In reply to Bodea Daniel [:danibodea] from comment #24)
On the downside:
- after ticking the "Show Password" checkbox, the Password Manager suggestions drop-down will no longer display. (intended?)You mean that if you toggle the checkbox in the doorhanger, you no longer see suggestions in the webpage? It's not expected to see a dropdown from the doorhanger field itself.
When I say Password Manager drop-down", I mean to talk about the drop-down with the "View Saved Logins" button, the one that drops down from a password field when attempting to manually fill a previously saved password or a generated password. I have logged bug 1570638.
- after selecting the generated password and saving the password change, the password manager will prompt to save the newly changed password, but the username is left blank (on sites the username is entered in the previous screen, like Yahoo).
This is now improved in Nightly. The auto-saved login is without a username but the doorhanger should include the username and choosing to "Update" should add it in storage.
I can confirm this is true as far as my testing went.
- if the user then chooses to change his password again, it can be noticed that the same password is displayed by the password generator.
Yeah, that is expected for now. Bug 1551723 and bug 1569568 will provide a way to request a new generated password. For now they last for the whole session for the same principal (origin + origin attributes [private browsing, container]).
Yes, thank you for the feedback.
I will close this bug as verified in Nightly v70.0a1 and in Beta 69.
Description
•