Closed Bug 1668216 Opened 5 years ago Closed 5 years ago

password generation keeps suggesting the same password for multiple form sumbits

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
80 Branch
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1551723

People

(Reporter: janklopper, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:80.0) Gecko/20100101 Firefox/80.0

Steps to reproduce:

We developed a form using the new 'autocomplete="new-password" syntax on a few of its password input fields.
This field allows a user to create new accounts.
For every new user we add, the form suggests the same 'random' generated secure new password.

Actual results:

The password field(s) get populated with the same new random password, setting multiple accounts new fresh passwords to the same value.
Im not sure what heuristics are used to generate the new password, but if there is a generation based on the url/form composition, previous browser settings this might be a security issue. Since it also leaks a password I accepted and stored in my password manager as a valid password before this might be used to re-generate passwords and guess them by manually injecting html into the page, bypassing the firefox master password on shared computers, it would simply give out the same password as the last time someone used that page/domain (not sure what scope we are looking at for the generation) to generate a new password.

Expected results:

We expected the autocomplete functionality to generate a new password on every page-visits, or at the very least no-reuse an already used random password on a second suggestion after the first was posted.

This isn't an issue that can be exploited by an attacker without cooperation from the user - the website cannot force Firefox to produce or use a generated password. So this doesn't need to be hidden.

Group: firefox-core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit

Copying Matt's comment from bug 1652486:

(In reply to Matthew N. [:MattN] from comment #1)

This is intentional and similar to bug 1621599. You can use separate containers, separate private windows or restart Firefox between generating passwords to have it work how you want. We will add an option to generate a new password to make this more clear.

*** This bug has been marked as a duplicate of bug 1569568 ***

Status: UNCONFIRMED → RESOLVED
Closed: 5 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 1551723
No longer duplicate of bug: 1569568
You need to log in before you can comment on or make changes to this bug.