Closed Bug 1604209 Opened 6 years ago Closed 4 years ago

master password asked for every login/password copied/edited/revealed in about:logins

Categories

(Firefox :: about:logins, defect, P3)

Product:
Firefox
Component:
about:logins
Version:
72 Branch
Type:
defect

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: u592880, Unassigned)

Details

(Whiteboard: [passwords:primary-password])

User Agent: Mozilla/5.0 (Windows NT 10.0; WOW64; rv:56.0) Gecko/20100101 Firefox/56.0

Steps to reproduce:

1- Set up Master password
2- Launch browser or access logins/passwords

Actual results:

Asked for master password upon launch and for every single password access

Expected results:

Ideally only asked for the master password once per session (computer session) or, at the very least, ask user whether they really want to be prompted every single time. It makes the use of Master passwords overly burdensome for common users and, therefore, really discouraging.

Summary: master password asked every time → master password asked at every browser launch and for every logins/passwords access

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

It looks like you are using a really old version of firefox. Can you go to about:support and paste the contents here?
Also, when you get the master password prompt, are you cancelling it or entering a correct password?

Flags: needinfo?(anfire)

Hi Sam,
Thanks for your message. I am using Firefox 72.0b7, which I believe is the latest beta version, on MacOS Catalina.
Whenever I get the master password prompt, I enter a correct password. Regardless, the prompt comes back whenever I try to view/copy/edit a password.
I don't know whether this is correct behaviour or a bug; I just have the feeling that asking for the password every single time should be reserved to a higher level of security and that most people would be put off by a constant request for a long and secure master password (when once per session would be sufficient for most users).
Best,

Flags: needinfo?(anfire)
OS: Unspecified → macOS
Hardware: Unspecified → x86_64
Version: 56 Branch → 72 Branch

Are you modifying your User Agent manually?

Flags: needinfo?(anfire)

I do.

Flags: needinfo?(anfire)

*am

Ah, so you're talking about access from about:logins, not from autofill, correct? You should be able to autofill for the rest of the session (unless you cancel a prompt in about:logins) after entering it once.

Flags: needinfo?(anfire)

That's correct. The master password is requested upon launch and upon every attempt to view/copy the password in about:logins. You're right, I am able to autofill without having to re-enter the password.
Quite frankly, if I enter the password during a session, I feel it's fair to give access to other passwords and it seems excessive to ask for it at every use of about:logins. Maybe the master password could be asked once at the opening of about:logins, but not at every single password view/copy. My concern is that this will drive people away from the use of the master password.

Flags: needinfo?(anfire)

(In reply to anfire@nym.hush.com from comment #8)

Maybe the master password could be asked once at the opening of about:logins, but not at every single password view/copy.

Thanks for confirming. That's what we will do in bug 1584126 shortly.

Status: UNCONFIRMED → NEW
Component: Password Manager → about:logins
Depends on: 1584126
Ever confirmed: true
OS: macOS → All
Priority: -- → P3
Product: Toolkit → Firefox
Hardware: x86_64 → All
Summary: master password asked at every browser launch and for every logins/passwords access → master password asked for every login/password copied/edited/revealed in about:logins

Perfect. Happy to help!

No longer depends on: 1584126
Whiteboard: [passwords:primary-password]

I'm a little confused. I created the original ticket to notify the team about this issue and it's been fixed for at least two or more releases of Firefox. Now once you type the master password the first time when viewing passwords in Firefox Lockwise, you don't have to retype it for "a while". I still haven't exactly figured out when and under what conditions I have to retype it but at least now if I keep Lockwise open, I can view any password without retyping it.

Hi Steve, so it sounds like I can close this bug out. Thanks for that information.

As for your comment about "you don't have to retype it for 'a while'", that timeout is set to 15 minutes. So if you do not interact with about:logins for 15 minutes, then the next time you try to copy a password, edit a login, etc. the primary password prompt will appear.

Hope this helps clear things up!

Status: NEW → RESOLVED
Closed: 4 years ago
Resolution: --- → WORKSFORME

Wonderful! Thanks for the tip about the 15 minutes and about:logins. I didn't think to look there to change it. 15 minutes is reasonable but sometimes a bit short for me. Thanks again Tim.

Oh, I see now that about:logins isn't where the 15 minute value can be changed. I believe I found it in about:config:

signon.masterPasswordReprompt.timeout_ms 900000

900,000 milliseconds is 15 minutes.

Thanks!

You need to log in before you can comment on or make changes to this bug.