Closed Bug 1626778 Opened 4 years ago Closed 1 month ago

Enable the signon.management.page.os-auth.enabled pref by default once we are satisfied with stability/coverage

Categories

(Firefox :: about:logins, enhancement, P2)

enhancement

Tracking

()

RESOLVED DUPLICATE of bug 1403081

People

(Reporter: jaws, Assigned: ssachdev)

References

(Depends on 1 open bug)

Details

(Whiteboard: [passwords:os-reauthentication])

The signon.management.page.os-auth.enabled pref was introduced as a way for users to disable authentication due to a couple known issues (bug 1623277 and bug 1624255) and potential unknown issues. This pref should be removed once we are satisfied with the stability of the feature.

Priority: -- → P2

Please don't remove this as the OS authentication feature doesn't add any meaningful amount of security. It prevents you from extracting the password from about:logins, but you can still extract the password by going to the site, auto-filling the password, and read it from the DOM (eg. document.querySelector("input[type=password]").value). Better yet, you can go to the profile folder and copy out logins.json and key4.db, which gets you all the passwords in unencrypted format. Maybe users want this feature for peace of mind, but I find it a hassle.

(In reply to donaldepage from comment #1)

It prevents you from extracting the password from about:logins, but you can still extract the password by going to the site, auto-filling the password, and read it from the DOM (eg. document.querySelector("input[type=password]").value).

Right, this is the same as other browsers. It's meant to make it harder for casual snooping.

Better yet, you can go to the profile folder and copy out logins.json and key4.db, which gets you all the passwords in unencrypted format.

Not really, they are always "encrypted" but if you don't have a master password set they are trivial to decrypt. Once a user has local access there are so many ways to extract this data.

Maybe users want this feature for peace of mind, but I find it a hassle.

Yeah, users complained that we made it too easy to access saved logins by adding the autocomplete "View Saved Logins" footer and the main menu item last year.

Not really, they are always "encrypted" but if you don't have a master password set they are trivial to decrypt. Once a user has local access there are so many ways to extract this data.

But the OS authentication feature is disabled if you have a master password set, so that attack is always feasible when this feature is active. You say it's meant to prevent casual snooping, but I'm not sure whether having to copy out 2 files from the profile directory is that much harder than setting an about:config setting.

Perhaps rather than removing the perf entirely, you make it hidden instead? If someone knows about perf, and has time to type it out, they probably also have enough time to email themselves the logins.json and key4.db files.

No leave this in.

If I need to prevent access to my browser, I will lock my computer, or use Firefox's Master Password. There is no one in my household who will "casually snoop" on my passwords, and even if they did, the serious ones I have saved in a different program (PasswordSafe).

But for a bunch of convenience passwords for low-value sites (each forum seems to have different password requirements), I use the Firefox password manager, and I don't need the impediment of "casual" security via OS password authentication to access them. It's already ceded that "there are so many ways to extract this data," so why the hoops? Keep this in as an option at least, yeesh. >_< If anything, I would like the passwords not to be hidden at all (no "eye")!

(and apropos of this, Bugzilla upon creation of my account did not accept as valid a password which satisfactorily used 3 of the required facets: lower/upper/number).

Depends on: 1636466
No longer depends on: 1636466

I don't get it.

Idea is to prevent "snooping". But it's only active without a master password.

I have a home machine - snooping proof by physical security - so no master password.

I have a travel machine which is locked down - and of course has a master password.

So at home I need to enter another password to "avoid snooping" But in the outside world you just show the entry when I ask.

Exactly what do you mean by "snooping?'

(In reply to Marc Auslander from comment #6)

Idea is to prevent "snooping". But it's only active without a master password.

That is incorrect. We ask for the master password in all cases where we ask for the OS credentials.

So at home I need to enter another password to "avoid snooping" But in the outside world you just show the entry when I ask.

See above. You get prompted in the same cases on both machines.

Blocks: 1653516

I solved this problem by switching to BitWarden. Thanks FF!

Summary: Remove the signon.management.page.os-auth.enabled pref once we are satisfied with stability/coverage → Enable the signon.management.page.os-auth.enabled pref by default once we are satisfied with stability/coverage
Depends on: 1706748
Whiteboard: [passwords:os-reauthentication]

While reviewing 2+ year old Nightly differences, I came across this one. Is it ready to ship now?

Flags: needinfo?(jaws)
Severity: normal → S3
Blocks: 1802797

Lets re-triage this, it makes no sense to keep it on Nightly for so long.

Severity: S3 → --
Flags: needinfo?(jaws)
Priority: P2 → --
Flags: needinfo?(sgalich)
Duplicate of this bug: 1808169
Duplicate of this bug: 1863544

Hi all,

Where are we with this?

It's fine for other Browsers using Windows Authentication.

The main thing is Casual Snooping imo

"can I just search for something?"

Turns into an easy password theft.

Plus we are already doing it on Android

Thanks

Assignee: nobody → ssachdev
Severity: -- → N/A
Flags: needinfo?(sgalich)
Priority: -- → P2
Duplicate of this bug: 1880030
Status: NEW → RESOLVED
Closed: 1 month ago
Duplicate of bug: 1403081
Resolution: --- → DUPLICATE
No longer blocks: 1653516
Duplicate of this bug: 1880730
You need to log in before you can comment on or make changes to this bug.