Undue password update request when password submitted in <form> is not user-entered password
Categories
(Toolkit :: Password Manager: Site Compatibility, defect)
Tracking
()
People
(Reporter: angel.rodriguez, Unassigned)
References
()
Details
Attachments
(3 files)
Selecting stored password
User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0
Steps to reproduce:
I access regularity a site (Funds and tenders Portal of the European Union, https://ec.europa.eu/info/funding-tenders/opportunities/portal/screen/myarea/expertarea). This site requires a password to access. I have the password stored in the passwords list.
The site uses encrypted passwords. That is, after I type my password, it encrypts it before sending to their servers (I suspect that it is Oracle powered). Encrypted password is different each time.
Actual results:
A pop-up appears offering to update the password. If I accept, the current password is corrupted. So I always decline the offering.
Expected results:
No pop-up offering password update should appear in these cases (when an encrypted password is sent). Or, at least, have the option of disabling password update for this type of sites.
|
||
Comment 1•5 years ago
|
||
Bugbug thinks this bug should belong to this component, but please revert this change in case of error.
|
||
Comment 2•5 years ago
|
||
Which exact "password technology" is used if the password is different each time? How do you 'know' your password then?
I do not know which password technology they use.
I always type my current password (actually, it is filled-in automatically by Firefox).
Then, it seems that my password is encrypted and sent to the systems of the European Union.
Firefox thinks [wrongly] that the password was changed, as the password sent is different from the one I typed. And appears the pop-up asking if I wish to change the password stored for this site / account.
Initially, I said Yes several times, and my password was trashed. Then, I figured out what was going on, and I always say No.
|
|
||
Comment 4•5 years ago
|
||
The severity field is not set for this bug.
:nalexander, could you have a look please?
For more information, please visit auto_nag documentation.
The stored password is filled in in the password field in the page, The length of the password, as represented by dots, is correct.
... but, when clicking on "Sign in" button, the password is encrypted and sent to the system (note the long series of dots). The password manager [unduly] interprets that the password has changed, and offers to update it. If I accept, the stored password would be trashed.
I have some additional details.
I took screenshots from the page having the issue, and uploaded them with comments.
I hope that they would help to clarify / solve the issue.
|
||
Comment 9•5 years ago
|
||
Angel: thanks for these details. This issue is related to our password management and form autofill capability, so I'm refiling it as such, and hopefully it will get the right eyes on it.
|
||
Comment 10•5 years ago
|
||
Hi Angel. Sorry to hear about this, it's a super annoying issue to have to deal with. We're tracking this problem in bug 1600397 and planning to address it as part of a larger series of changes to the doorhanger that are already in progress (see bug 1641406).
Description
•