[Windows] No "username or password is incorrect" or "account lockout" message is displayed when entering invalid password in the OS auth dialog
Categories
(Firefox :: about:logins, defect)
Tracking
()
| Tracking | Status | |
|---|---|---|
| firefox75 | --- | unaffected |
| firefox76 | + | verified |
| firefox77 | + | verified |
People
(Reporter: cmuntean, Assigned: jaws)
References
Details
Attachments
(2 files)
|
988.70 KB,
image/gif
|
Details | |
|
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
no warning message .gif
[Affected versions]:
- Nightly 77.0a1;
- Beta 76.0b4;
[Affected Platforms]:
- Windows 10 x64;
- Windows 7 x64;
- Windows 8.1 x32;
[Prerequisites]:
- Have an OS password set.
[Steps to reproduce]:
- Open the latest Nightly Firefox browser.
- Navigate to the "about:logins" page and select a saved login.
- Click on the "Show Password" button.
- Enter an invalid password in "Windows Security" dialog.
[Expected result]:
- The "username or password is incorrect" message is displayed under the password filed.
[Actual result]:
- No "username or password is incorrect" message is displayed.
[Notes]:
- The issue is also reproducible if the OS have set a lockout policy that blocks the account after failing to login after a defined number in the policy. For example if the "Account lockout threshold" is set to 3 invalid login attempts, the account will be locked if an invalid password is entered 3 times. In this case the user will not see any message displayed that informs him about the "account lockout" and this can be confusing for the users.
- However, I looked how Chrome behaves in this situation and it seems that an message is displayed in both cases. If an invalid password the "The username or password is incorrect" and if the account is locked the "The referenced account is currently locked out and may not be logged on to" message is displayed.
- Attached a screen recording with the issue.
|
Assignee | |
Comment 2•4 years ago
•
|
||
In Firefox we use the CredUIPromptForWindowsCredentialsW function to display this prompt, whereas Chromium uses the older[1] CredUIPromptForCredentialsW function. The documentation for CredUIPromptForWindowsCredentialsW doesn't mention a flag that can be used to show a "Logon unsuccessful" message, whereas CredUIPromptForCredentialsW provides CREDUI_FLAGS_INCORRECT_PASSWORD.
When CREDUI_FLAGS_INCORRECT_PASSWORD is used with CredUIPromptForWindowsCredentialsW, the prompt removes the option to authenticate with anything other than the password, and the username must be manually entered. No message is shown explaining that the password or PIN was incorrect.
We would have to switch to using CredUIPromptForCredentialsW to get the behavior requested by comment #0. It would take some refactoring to use CredUIPromptForCredentialsW and could be do-able for Firefox 77 but probably not upliftable to Firefox 76.
[1] The Microsoft documentation includes this note:
"Applications that target Windows Vista or Windows Server 2008 should call CredUIPromptForWindowsCredentials instead of this function, for the following reasons:
- CredUIPromptForWindowsCredentials is consistent with the current Windows user interface.
- CredUIPromptForWindowsCredentials is more extensible, allowing integration of additional authentication mechanisms such as biometrics and smart cards.
- CredUIPromptForWindowsCredentials is compliant with the Common Criteria specification."
|
||
Comment 3•4 years ago
|
||
This doesn't match what I saw the other day. Chromium is using CredUIPromptForWindowsCredentials and dwAuthError seems to be what you want and that's what Chromium uses. https://docs.microsoft.com/en-us/windows/win32/api/wincred/nf-wincred-creduipromptforwindowscredentialsw
|
|
Assignee | |
Comment 4•4 years ago
|
||
I had been looking at https://source.chromium.org/chromium/chromium/src/+/master:chrome/browser/password_manager/password_manager_util_win.cc;l=436;drc=8b2247ef5a7caa98e3f7d94ef1f0530e981c8803?originalUrl=https:%2F%2Fcs.chromium.org%2F and had not seen their AuthenticateUserNew function.
|
|
Assignee | |
Updated•4 years ago
|
|
|
Assignee | |
Comment 5•4 years ago
|
||
|
|
Assignee | |
Comment 6•4 years ago
|
||
Hi Cosmin, can you please verify the fix in this bug with the following scenarios:
- Providing the wrong password on the current user account.
- Providing the wrong password on the current user account enough times to get locked out of the account.
- Providing a valid username and password combination, but for an account that is not the current user account.
Thanks!
Pushed by jwein@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/94291e5a975b Display login-related error messages in the Windows credential UI upon a failed authentication attempt. r=MattN
|
|
Assignee | |
Comment 8•4 years ago
•
|
||
[Tracking Requested - why for this release]: Improve usability of new feature in Fx76 and give feedback to users when the wrong password is entered.
|
||
Comment 9•4 years ago
|
||
| bugherder | ||
|
Reporter | |
Comment 10•4 years ago
|
||
I have verified this issue and the warning message is correctly displayed. Tested using the latest Nightly 77.0a1 build (Build ID: 20200421094220) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.
Here are the results:
-
Providing the wrong password on the current user account.
Windows 10 x64: The user name or password is incorrect.
Windows 8.1 x32: The user name or password is incorrect.
Windows 7 x64: Logon failure: unknown user name or bad password. -
Providing the wrong password on the current user account enough times to get locked out of the account.
All Windows: The referenced account is currently locked out and may not be logged on to. -
Providing a valid username and password combination, but for an account that is not the current user account.
Windows 10 x64: The user name or password is incorrect.
Windows 8.1 x32: The user name or password is incorrect.
Windows 7 x64: Logon failure: unknown user name or bad password.
|
|
Assignee | |
Comment 11•4 years ago
|
||
Comment on attachment 9141945 [details]
Bug 1629873 - Display login-related error messages in the Windows credential UI upon a failed authentication attempt. r?MattN
Beta/Release Uplift Approval Request
- User impact if declined: No error message shown to user when they provide incorrect login credentials
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: Yes
- Needs manual test from QE?: Yes
- If yes, steps to reproduce:
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Extremely minimal patch, just sets the error code for next iteration.
- String changes made/needed: none
|
||
Comment 12•4 years ago
|
||
Comment on attachment 9141945 [details]
Bug 1629873 - Display login-related error messages in the Windows credential UI upon a failed authentication attempt. r?MattN
Approved for 76.0b7.
|
|
||
Comment 13•4 years ago
|
||
| bugherder uplift | ||
|
||
Updated•4 years ago
|
|
|
Reporter | |
Comment 14•4 years ago
|
||
I have verified this issue and the warning message is correctly displayed on Beta 76.0b7. Tested using the latest Beta 76.0b7 build (Build ID: 20200421231527) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.
|
|
||
Updated•4 years ago
|
Description
•