Closed Bug 1645654 Opened 4 years ago Closed 4 years ago

Undue password update request when password submitted in <form> is not user-entered password


(Toolkit :: Password Manager: Site Compatibility, defect)

77 Branch





(Reporter: angel.rodriguez, Unassigned)





(3 files)

User Agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:77.0) Gecko/20100101 Firefox/77.0

Steps to reproduce:

I access regularity a site (Funds and tenders Portal of the European Union, This site requires a password to access. I have the password stored in the passwords list.
The site uses encrypted passwords. That is, after I type my password, it encrypts it before sending to their servers (I suspect that it is Oracle powered). Encrypted password is different each time.

Actual results:

A pop-up appears offering to update the password. If I accept, the current password is corrupted. So I always decline the offering.

Expected results:

No pop-up offering password update should appear in these cases (when an encrypted password is sent). Or, at least, have the option of disabling password update for this type of sites.

Bugbug thinks this bug should belong to this component, but please revert this change in case of error.

Component: Untriaged → Application Update
Product: Firefox → Toolkit

Which exact "password technology" is used if the password is different each time? How do you 'know' your password then?

Flags: needinfo?(angel.rodriguez)

I do not know which password technology they use.
I always type my current password (actually, it is filled-in automatically by Firefox).
Then, it seems that my password is encrypted and sent to the systems of the European Union.
Firefox thinks [wrongly] that the password was changed, as the password sent is different from the one I typed. And appears the pop-up asking if I wish to change the password stored for this site / account.
Initially, I said Yes several times, and my password was trashed. Then, I figured out what was going on, and I always say No.

Flags: needinfo?(angel.rodriguez)

The severity field is not set for this bug.
:nalexander, could you have a look please?

For more information, please visit auto_nag documentation.

Flags: needinfo?(nalexander)

When logging in into the site, I select an stored password.

The stored password is filled in in the password field in the page, The length of the password, as represented by dots, is correct.

... but, when clicking on "Sign in" button, the password is encrypted and sent to the system (note the long series of dots). The password manager [unduly] interprets that the password has changed, and offers to update it. If I accept, the stored password would be trashed.

I have some additional details.
I took screenshots from the page having the issue, and uploaded them with comments.
I hope that they would help to clarify / solve the issue.

Angel: thanks for these details. This issue is related to our password management and form autofill capability, so I'm refiling it as such, and hopefully it will get the right eyes on it.

Component: Application Update → Password Manager: Site Compatibility
Flags: needinfo?(nalexander)
Summary: Undue password update request → Undue password update request when password submitted in <form> is not user-entered password

Hi Angel. Sorry to hear about this, it's a super annoying issue to have to deal with. We're tracking this problem in bug 1600397 and planning to address it as part of a larger series of changes to the doorhanger that are already in progress (see bug 1641406).

Closed: 4 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.