Closed Bug 1633090 Opened 4 years ago Closed 4 years ago

Remember that a Windows accounts has no password to limit future failed authentication attempts

Categories

(Firefox :: about:logins, defect, P2)

Product:
Firefox
Component:
about:logins
Platform:
Desktop
Windows
Type:
defect

Tracking

()

Status:
VERIFIED FIXED
Milestone:
Firefox 78
Tracking Flags:
Tracking Status
firefox-esr68 --- unaffected
firefox75 --- unaffected
firefox76 --- wontfix
firefox77 --- wontfix
firefox78 --- verified

People

(Reporter: MattN, Assigned: jaws)

References

(Regression)

Details

(Keywords: parity-chrome, regression)

Attachments

(1 file)

Bug 1633090 - Cache the result of the empty password checks. r?cmartin
47 bytes, text/x-phabricator-request
Details | Review

As part of authenticating against the OS when providing access to stored passwords in about:logins, we attempt to check if the user has no password on their account. This will register as a login attempt, and can count against a users allowed number of failed login attempts.

We should cache if the user has no password so we can skip this step in the future. We can use https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/ns-lmaccess-user_info_1 to check the password age and re-attempt if the password has been changed.

Assignee: nobody → jaws
Status: NEW → ASSIGNED

Set release status flags based on info from the regressing bug 1622542

status-firefox75: --- → unaffected
status-firefox76: --- → affected
status-firefox77: --- → affected

Comment on attachment 9143310 [details]
Bug 1633090 - Cache the result of the empty password checks. r?cmartin

Revision D72426 was moved to bug 1631879. Setting attachment 9143310 [details] to obsolete.

Attachment #9143310 - Attachment is obsolete: true
Attachment #9143310 - Attachment description: Bug 1633090 - Cache the result of the empty password checks. r?MattN,cmartin → Bug 1633090 - Cache the result of the empty password checks. r?MattN,agashlin
Attachment #9143310 - Attachment is obsolete: false
Attachment #9143310 - Attachment description: Bug 1633090 - Cache the result of the empty password checks. r?MattN,agashlin → Bug 1633090 - Cache the result of the empty password checks. r?cmartin
Pushed by jwein@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/d6d6a44bc421
Cache the result of the empty password checks. r=cmartin

https://hg.mozilla.org/mozilla-central/rev/d6d6a44bc421

Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-firefox78: affectedfixed
Resolution: --- → FIXED
Target Milestone: --- → Firefox 78

Marking as wontfix for 76 and 77 as we are going to disable the feature via Normandy for these releases (https://experimenter.services.mozilla.com/experiments/disable-the-os-authentication-feature-on-windows/).

(Feel free to change the statuses to disabled once we actually disable it)

status-firefox76: affectedwontfix
status-firefox77: affectedwontfix

I have verified this issue and the OS auth correctly count the failed authentication attempts. I have verified this issue using the latest Nightly 78.0a1 (Build ID: 20200510212656) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.

In order to verify this I have used the following scenarios:

  1. Verified if the account is correctly locked after failing to login with the exact number set in the Account Lockout Policy. For example, if the Lockout Policy is set to 5 invalid logon attempts, the account is lockout after 5 invalid attempts.
  2. Verified that dismissing the OS auth dialog is not counted as an invalid login attempt and doesn't lock the account. For example, if the Lockout Policy is set to 5 invalid logon attempts, if the OS auth dialog is dismissed 5 times, the account is NOT locked.

Please let me know if there are any other scenarios to verify this bug.

Status: RESOLVED → VERIFIED
status-firefox78: fixedverified
Has Regression Range: --- → yes
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: