Remember that a Windows accounts has no password to limit future failed authentication attempts
Categories
(Firefox :: about:logins, defect, P2)
Tracking
()
Tracking | Status | |
---|---|---|
firefox-esr68 | --- | unaffected |
firefox75 | --- | unaffected |
firefox76 | --- | wontfix |
firefox77 | --- | wontfix |
firefox78 | --- | verified |
People
(Reporter: MattN, Assigned: jaws)
References
(Regression)
Details
(Keywords: parity-chrome, regression)
Attachments
(1 file)
As part of authenticating against the OS when providing access to stored passwords in about:logins, we attempt to check if the user has no password on their account. This will register as a login attempt, and can count against a users allowed number of failed login attempts.
We should cache if the user has no password so we can skip this step in the future. We can use https://docs.microsoft.com/en-us/windows/win32/api/lmaccess/ns-lmaccess-user_info_1 to check the password age and re-attempt if the password has been changed.
Assignee | ||
Comment 1•4 years ago
|
||
Updated•4 years ago
|
Comment 2•4 years ago
|
||
Set release status flags based on info from the regressing bug 1622542
Comment 3•4 years ago
|
||
Comment on attachment 9143310 [details]
Bug 1633090 - Cache the result of the empty password checks. r?cmartin
Revision D72426 was moved to bug 1631879. Setting attachment 9143310 [details] to obsolete.
Updated•4 years ago
|
Updated•4 years ago
|
Updated•4 years ago
|
Pushed by jwein@mozilla.com: https://hg.mozilla.org/integration/autoland/rev/d6d6a44bc421 Cache the result of the empty password checks. r=cmartin
Comment 5•4 years ago
|
||
bugherder |
Comment 6•4 years ago
|
||
Marking as wontfix for 76 and 77 as we are going to disable the feature via Normandy for these releases (https://experimenter.services.mozilla.com/experiments/disable-the-os-authentication-feature-on-windows/).
(Feel free to change the statuses to disabled once we actually disable it)
I have verified this issue and the OS auth correctly count the failed authentication attempts. I have verified this issue using the latest Nightly 78.0a1 (Build ID: 20200510212656) on Windows 10 x64, Windows 8.1 x32 and Windows 7 x64.
In order to verify this I have used the following scenarios:
- Verified if the account is correctly locked after failing to login with the exact number set in the Account Lockout Policy. For example, if the Lockout Policy is set to 5 invalid logon attempts, the account is lockout after 5 invalid attempts.
- Verified that dismissing the OS auth dialog is not counted as an invalid login attempt and doesn't lock the account. For example, if the Lockout Policy is set to 5 invalid logon attempts, if the OS auth dialog is dismissed 5 times, the account is NOT locked.
Please let me know if there are any other scenarios to verify this bug.
Updated•4 years ago
|
Description
•