Closed Bug 1591354 Opened 6 years ago Closed 6 years ago

Lockwise should suggest using a master password on first use (or otherwise warn passwords are readable without one)

Categories

(Firefox :: about:logins, enhancement)

Product:
Firefox
Component:
about:logins
Version:
70 Branch
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1261977

People

(Reporter: teoteoteoteo, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:70.0) Gecko/20100101 Firefox/70.0

Steps to reproduce:

Let's imagine that my colleague wants to steal my passwords.
Now he can do it by simply opening Firefox.
To reproduce the behaviour:

  • open Firefox
  • install Lockwise (no password authorization is required)
  • open Lockwise
  • see all the passwords!

I was also scared about such an issue when Lockwise was not available, in fact all the password could be known by going into "Preferences" -> "Privacy and Security" -> "Logins and Password" -> "Saved Logins"
but now it is simpler!

Please, correct such an issue asap ... it is really frustrating ... should I delete all my passwords from Firefox???

Actual results:

Let's imagine that my colleague wants to steal my passwords.
Now he can do it by simply opening Firefox.
To reproduce the behaviour:

  • open Firefox
  • install Lockwise (no password authorization is required)
  • open Lockwise
  • see all the passwords!

I was also scared about such an issue when Lockwise was not available, in fact all the password could be known by going into "Preferences" -> "Privacy and Security" -> "Logins and Password" -> "Saved Logins"
but now it is simpler!

Please, correct such an issue asap ... it is really frustrating ... should I delete all my passwords from Firefox???

Expected results:

Ask a "master" password to show all the stored passwords

I'm confused - have you configured a master password? There's an option for this in the preferences ( https://support.mozilla.org/en-US/kb/use-master-password-protect-stored-logins )

Component: Untriaged → Password Manager
Flags: needinfo?(teoteoteoteo)
Product: Firefox → Toolkit
Component: Password Manager → about:logins
Product: Toolkit → Firefox

Well, maybe users should be warned about it as soon as the Lockwise app is opened for the first time?
Personally, I opened Lockwise for the first time, I tried to press on the "eye" to see my password and I realized that it was possible without any password.
Thus I tried to look over the internet with words like "Lockwise privacy" or "secure Lockwise" and I did not find any useful result. And I was worried about it! As a default behaviour everyone can access the passwords of other users that are near him and leave the OS logged.

Thus, as a suggestion it could be useful to ask users to set a master password when he access the tool for the first time, or, at least, have a button in the Lockwise interface to press if you want more privacy on that PC.

In any case, thank you very much for your help.
I think we can close the issue and insert a new suggestion!?

Flags: needinfo?(teoteoteoteo)

We can just morph this into a request to suggest the use of a master password

Group: firefox-core-security
Status: UNCONFIRMED → NEW
Type: defect → enhancement
Ever confirmed: true
Summary: Lockwise allows to access passwords to everyone without any protection → Lockwise should suggest using a master password on first use (or otherwise warn passwords are readable without one)
Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.