Open Bug 1551723 Opened 6 years ago Updated 6 months ago

Ability to ask for a different generated password from autocomplete

Categories

(Toolkit :: Password Manager, enhancement, P3)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement

Tracking

()

Status:
ASSIGNED

People

(Reporter: MattN, Assigned: serg)

References

(Depends on 1 open bug, Blocks 2 open bugs)

Details

Attachments

(1 file)

WIP: Bug 1551723 - Ability to ask for a different generated password from autocomplete r?tgiles,sfoster
48 bytes, text/x-phabricator-request
Details | Review

If a user doesn't like the password that was generated, they should have an option to generate a new one of the same format.

See Also: → 1569568
Flags: qe-verify+

This bug has gathered lots and lots of duplicates. I think we might want to bump the priority.

Flags: needinfo?(sfoster)

Forwarding to Serg who expressed an interest in this one.

Flags: needinfo?(sfoster) → needinfo?(sgalich)
Assignee: nobody → sgalich
Flags: needinfo?(sgalich)
Status: NEW → ASSIGNED
Attachment #9243123 - Attachment description: WIP: Bug 1551723 - Ability to ask for a different generated password from autocomplete → Bug 1551723 - Ability to ask for a different generated password from autocomplete r?tgiles,sfoster
Attachment #9243123 - Attachment description: Bug 1551723 - Ability to ask for a different generated password from autocomplete r?tgiles,sfoster → WIP: Bug 1551723 - Ability to ask for a different generated password from autocomplete r?tgiles,sfoster
Depends on: 1745679

What happens, when firefox for all user the same password generates???
I think this is a critical bug

See Also: → 1754099
Severity: normal → S3
Blocks: 1767002

(In reply to firefox005 from comment #13)

What happens, when firefox for all user the same password generates???
I think this is a critical bug

Exactly

In the context of an admin creating or settings passwords for various users, those passwords will al be generated to be exactly the same. Closing the browser, or any other action by this admin user will not trigger new generation of passwords.
This means an admin might be handing out the same password to many users.

Blocks: 1786712
Duplicate of this bug: 1823207
Duplicate of this bug: 1621599
Duplicate of this bug: 1633125
Duplicate of this bug: 1652486
Duplicate of this bug: 1668216
Duplicate of this bug: 1674668
Duplicate of this bug: 1694595
Duplicate of this bug: 1630500
Duplicate of this bug: 1679079
Duplicate of this bug: 1850227
Duplicate of this bug: 1875616
See Also: → 1881069

Adding a use case here -- if firefox continues auto-generating the same password by design for the site, and the site has declared the password vulnerable (either due to a leak or because it's been used before, is too old, anything similar), there is currently no way to generate a new secure password.

Issue still exists in current version

Duplicate of this bug: 1906964
Duplicate of this bug: 1902808

Created another bug to discuss further enhancements: https://bugzilla.mozilla.org/show_bug.cgi?id=1915598

To add a specific use case here: On two successive days I have gone to transunion.com to register an account, and on each day Firefox's password manager has offered me a 4 CHARACTER "secure" password. Erasing the password and trying again, reloading the page, restarting Firefox and trying again, seem to result in the same password for the same site on the same day, and so far at least (admittedly on a sample size of 2 passwords) Firefox seems to consistently generate a 4-character password for transunion.com.

This seems ... let's say troublingly deterministic, particularly in light of the absence of any option to force generation of a new password.

showing the same password in the same session is bug 1767002 -- it's an attempt to keep people from getting locked out if they didn't save a password and need it again in a subsequent step of creating the account or logging in for the first time.

The transunion.com issue should possibly get its own bug. When creating an account step one has a box for the last 4-digits of your social security number. This input is type=password and maxlength=4. I didn't fill in that information so I didn't get to the next steps, but I assume we've created the password based on that field, and that now that same one is what we suggest in a later "real" password field.

The ability to ask for a new one (this bug) would solve that, but also maybe if maxlength is some ridiculously short value we should not offer to generate a "secure" password.

(In reply to Daniel Veditz [:dveditz] from comment #34)

The transunion.com issue should possibly get its own bug. When creating an account step one has a box for the last 4-digits of your social security number. This input is type=password and maxlength=4. I didn't fill in that information so I didn't get to the next steps, but I assume we've created the password based on that field, and that now that same one is what we suggest in a later "real" password field.

Aaaah, that makes sense.

The ability to ask for a new one (this bug) would solve that, but also maybe if maxlength is some ridiculously short value we should not offer to generate a "secure" password.

Or perhaps hold off on generating the password until getting a password field with a realistic length?

Either way, 'regenerate' ought to solve both problems, as well as the case where a password is rejected but — due to a poorly worded failure message — it's difficult to figure out exactly what about the generated password is deemed unacceptable. (I had one recently where it took me five or six re-readings of the message and nearly ten minutes of scrutiny and thought to realize that what it was trying, but failing, to tell me was that '-' was for some reason not deemed an allowed special character.)

Depends on: 1959288
See Also: → 1892035
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: