Closed Bug 1631835 Opened 4 years ago Closed 4 years ago

[Windows] The account is wrongly locked after failing to login 3 times even if the Windows lockout policy is set to more than 3 invalid logon attempts

Categories

(Firefox :: about:logins, defect, P3)

Product:
Firefox
Component:
about:logins
Platform:
Desktop
All
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 77
Tracking Flags:
Tracking Status
firefox75 --- unaffected
firefox76 --- verified
firefox77 --- verified

People

(Reporter: cmuntean, Assigned: jaws)

References

Details

Attachments

(2 files)

accout lockout after 3 invalid attempts.gif
767.11 KB, image/gif
Details
Bug 1631835 - Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r?MattN
47 bytes, text/x-phabricator-request
RyanVM
: approval-mozilla-beta+
Details | Review

[Affected versions]:

  • Nightly 77.0a1;
  • Beta 76.0b6;

[Affected Platforms]:

  • Windows 10 x64;
  • Windows 7 x64;
  • Windows 8.1 x32;

[Prerequisites]:

  • Have an OS password set.
  • Have at least one login saved.
  • Have an account lockout policy set to at least 5 invalid logon attempts.

[Steps to reproduce]:

  1. Open the latest Nightly Firefox browser.
  2. Navigate to the "about:logins" page and select a saved login.
  3. Click on the "Show Password" button.
  4. Enter an invalid password in "Windows Security" dialog 3 times.
  5. Click again on the "Show Password" button and enter the correct password.
  6. Observe the behavior.

[Expected result]:

  • The password is shown.

[Actual result]:

  • "The referenced account is currently locked out and may not be logged on to." message is displayed and the password is not shown.

[Notes]:

  • I have also compared the behavior with Chrome and the issue is not reproducible. The account is locked only after entering the defined invalid logon attempts.
  • Attached a screen recording with the issue.

The problem is because we are first attempting to authenticate the user with a blank password, then there are three attempts to log in before we stop prompting, and then on the next attempt to show this, we again attempt to authenticate with a blank password, which locks the account from authenticating with the correct password.

Chromium is remembering which accounts have a blank password so they don't keep attempting a blank password. That would be the simplest thing we could do but this still decreases the number of invalid login attempts by 1 for the first time a user attempts to authenticate with Firefox.

Priority: -- → P3
Assignee: nobody → jaws
Status: NEW → ASSIGNED
Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/a11444985419
Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r=MattN

Hi Cosmin, can you please verify this change so we can uplift ASAP?

Flags: needinfo?(cosmin.muntean)

Comment on attachment 9142140 [details]
Bug 1631835 - Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r?MattN

Beta/Release Uplift Approval Request

  • User impact if declined: Users may not get enough login attempts as they have allowed on their machine before we cancel the login attempts for them.
  • Is this code covered by automated tests?: No
  • Has the fix been verified in Nightly?: No
  • Needs manual test from QE?: Yes
  • If yes, steps to reproduce: Steps are in comment #0.
  • List of other uplifts needed: None
  • Risk to taking this patch: Low
  • Why is the change risky/not risky? (and alternatives if risky): Removes minimal code that limited the number of attempts to 3.
  • String changes made/needed: none
Attachment #9142140 - Flags: approval-mozilla-beta?
Flags: qe-verify+

https://hg.mozilla.org/mozilla-central/rev/a11444985419

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox77: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 77
QA Whiteboard: [qa-triaged]

I have verified this issue and the account is locked after entering the defined invalid login attempts - 1. For example, if the account lockout policy is set to 5 invalid login attempts, the account will be locked after 4 invalid login attempts. Based on comment 1 this is the expected behavior.
Tested using the latest Nightly 77.0a1 build (Build ID: 20200422093542) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.

I will leave the "qe-verify+" flag set in case that the beta uplift request is approved.

Status: RESOLVED → VERIFIED
status-firefox77: fixedverified
Flags: needinfo?(cosmin.muntean)

Comment on attachment 9142140 [details]
Bug 1631835 - Remove the limit of 3 attempts for authenticating with the OS account to allow for environments where more than three invalid auth attempts are allowed. r?MattN

Fix seems a bit sub-optimal, but still an improvement over the current situation. Approved for 76.0b8.

Attachment #9142140 - Flags: approval-mozilla-beta? → approval-mozilla-beta+

I have verified this issue on Beta 76.0b8 and the account is locked after entering the defined invalid login attempts - 1.
Tested using the latest Beta 76.0b8 build (Build ID: 20200424000239) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.

status-firefox76: fixedverified
Flags: qe-verify+
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: