Open Bug 1699992 Opened 4 years ago Updated 3 years ago

after putting master password to access logins/passwords and reopening ff, new reg form cannot autogenerate password

Categories

(Toolkit :: Password Manager, defect, P2)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 86
Type:
defect

Tracking

()

Status:
ASSIGNED

People

(Reporter: mailbox, Assigned: dimi)

References

(Blocks 1 open bug)

Details

Attachments

(1 obsolete file)

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux i686; rv:86.0) Gecko/20100101 Firefox/86.0

Steps to reproduce:

  1. put master password to protect logins and passwords
  2. closed ff
  3. opened ff
  4. opened one website reg form

Actual results:

autogeneration of password in password field did not work

Expected results:

Autogeneration of password should work in new reg form.
It started working only after opening Logins and Password in separate tab which requested master password.

Group: firefox-core-security
Component: Untriaged → Password Manager
Product: Firefox → Toolkit
Severity: -- → S3
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P2
Assignee: nobody → dlee
Status: NEW → ASSIGNED

Before this patch, we don't show generated password in the autocomplete
when the primary password is enabled in the following scenarios:

  1. The prompt is already showing
  2. The prompt is cancelled before
  3. The prompt is NOT triggered when autocomplete (no matching found).

Note. This bug hits the scanario #3.

After this patch, we will show generated password in the autocomplete in
all of the above cases with auto save generated password disabled.

It was kind of a prime directive of generated passwords when first implemented that we would never lose (or allow the user to lose) a password we had generated. As we can't guarantee the login capture will happen when a new password has been created - prompting the user to save the login - we implemented autosave of the generated passwords. This means the worst that can happen is the user gets a new login record with the newly generated password and no username.

That's the background for why this bug/feature exists - we don't want to offer to generate a password in circumstances where we can't know if we'll be able to save it. If the user doesnt know the master password either, they could use a password they have no way of recovering.

So, that's the background to this bug. Maybe the value outweighs the risk in this case?

Attachment #9221528 - Attachment is obsolete: true
Attachment #9221528 - Attachment is obsolete: false
Attachment #9221528 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: