[Windows] The account is wrongly locked after failing to login 3 times even if the Windows lockout policy is set to more than 3 invalid logon attempts
Categories
(Firefox :: about:logins, defect, P3)
Tracking
()
Tracking | Status | |
---|---|---|
firefox75 | --- | unaffected |
firefox76 | --- | verified |
firefox77 | --- | verified |
People
(Reporter: cmuntean, Assigned: jaws)
References
Details
Attachments
(2 files)
767.11 KB,
image/gif
|
Details | |
47 bytes,
text/x-phabricator-request
|
RyanVM
:
approval-mozilla-beta+
|
Details | Review |
[Affected versions]:
- Nightly 77.0a1;
- Beta 76.0b6;
[Affected Platforms]:
- Windows 10 x64;
- Windows 7 x64;
- Windows 8.1 x32;
[Prerequisites]:
- Have an OS password set.
- Have at least one login saved.
- Have an account lockout policy set to at least 5 invalid logon attempts.
[Steps to reproduce]:
- Open the latest Nightly Firefox browser.
- Navigate to the "about:logins" page and select a saved login.
- Click on the "Show Password" button.
- Enter an invalid password in "Windows Security" dialog 3 times.
- Click again on the "Show Password" button and enter the correct password.
- Observe the behavior.
[Expected result]:
- The password is shown.
[Actual result]:
- "The referenced account is currently locked out and may not be logged on to." message is displayed and the password is not shown.
[Notes]:
- I have also compared the behavior with Chrome and the issue is not reproducible. The account is locked only after entering the defined invalid logon attempts.
- Attached a screen recording with the issue.
Assignee | ||
Comment 1•4 years ago
|
||
The problem is because we are first attempting to authenticate the user with a blank password, then there are three attempts to log in before we stop prompting, and then on the next attempt to show this, we again attempt to authenticate with a blank password, which locks the account from authenticating with the correct password.
Chromium is remembering which accounts have a blank password so they don't keep attempting a blank password. That would be the simplest thing we could do but this still decreases the number of invalid login attempts by 1 for the first time a user attempts to authenticate with Firefox.
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Updated•4 years ago
|
Assignee | ||
Comment 2•4 years ago
|
||
Pushed by jwein@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/a11444985419 Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r=MattN
Assignee | ||
Comment 4•4 years ago
|
||
Hi Cosmin, can you please verify this change so we can uplift ASAP?
Assignee | ||
Comment 5•4 years ago
|
||
Comment on attachment 9142140 [details]
Bug 1631835 - Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r?MattN
Beta/Release Uplift Approval Request
- User impact if declined: Users may not get enough login attempts as they have allowed on their machine before we cancel the login attempts for them.
- Is this code covered by automated tests?: No
- Has the fix been verified in Nightly?: No
- Needs manual test from QE?: Yes
- If yes, steps to reproduce: Steps are in comment #0.
- List of other uplifts needed: None
- Risk to taking this patch: Low
- Why is the change risky/not risky? (and alternatives if risky): Removes minimal code that limited the number of attempts to 3.
- String changes made/needed: none
Assignee | ||
Updated•4 years ago
|
Comment 6•4 years ago
|
||
bugherder |
Updated•4 years ago
|
Reporter | ||
Comment 7•4 years ago
|
||
I have verified this issue and the account is locked after entering the defined invalid login attempts - 1. For example, if the account lockout policy is set to 5 invalid login attempts, the account will be locked after 4 invalid login attempts. Based on comment 1 this is the expected behavior.
Tested using the latest Nightly 77.0a1 build (Build ID: 20200422093542) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.
I will leave the "qe-verify+" flag set in case that the beta uplift request is approved.
Comment 8•4 years ago
|
||
Comment on attachment 9142140 [details]
Bug 1631835 - Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r?MattN
Fix seems a bit sub-optimal, but still an improvement over the current situation. Approved for 76.0b8.
Comment 9•4 years ago
|
||
bugherder uplift |
Reporter | ||
Comment 10•4 years ago
|
||
I have verified this issue on Beta 76.0b8 and the account is locked after entering the defined invalid login attempts - 1.
Tested using the latest Beta 76.0b8 build (Build ID: 20200424000239) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.
Description
•