Open Bug 1767002 Opened 3 years ago Updated 1 month ago

Generated passwords are some times reused

Categories

(Toolkit :: Password Manager, defect, P3)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 99
Type:
defect

Tracking

()

Tracking Flags:
Tracking Status
firefox-esr91 --- affected
firefox100 --- affected
firefox101 --- affected
firefox102 --- affected

People

(Reporter: runar, Unassigned)

References

(Depends on 1 open bug)

Details

Steps to reproduce:

Created a new account on any page, select "use a securely generated password" to set a password. Logged out to create another account at the same site and for the new account also selected "use a securely generated password", I did not select to use the password for the old account

Actual results:

The generated password is the same for both accounts and there are no option to generate a new password

Expected results:

The passwords should be different or there should be an option to generate another password

The Bugbug bot thinks this bug should belong to the 'Firefox::about:logins' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → about:logins
Component: about:logins → Password Manager
Product: Firefox → Toolkit

:runar, thanks for filing this bug! This is almost a duplicate of bug 1551723, but I'd prefer to keep this one open for now. Bug 1551723 is focused on ability to regenerate password, this one is more about automatically regenerating password (or somehow bringing it to user attention that they may want a new password).

Severity: -- → S3
Depends on: 1551723
Priority: -- → P3

Setting this as NEW since it is reproducible on the latest versions Nightly 102.0a1 and Firefox 100.0 on Windows 10 x64.

Status: UNCONFIRMED → NEW
status-firefox100: --- → affected
status-firefox101: --- → affected
status-firefox102: --- → affected
status-firefox-esr91: --- → affected
Ever confirmed: true

I'd like to suggest that this be bumped in severity.

From the user's perspective it is not clear that they have been offered the same password unless they are paying attention to the actual password being offered, which there's no real reason they should be as they generally have no intention of trying to remembering the password.

To give an example, I just joined a website and set up an account, using Firefox's suggestion for a password. I then created a group on the site, which requires that you set a password for the group. Firefox suggested the same password that I had just used for my user account. There is no indication that this is already a used password, in fact the original password already has an entry on the context menu (under the username I had just created). As this password was intended to be shared with group members in order to join the group, this clearly would have been a disaster.

Obviously I'm open to correction, but I see no reason for Firefox to ever suggest the same password after I've clicked on the "use suggested password" button, or at the very least if I have already clicked on it then it should be moved to another entry (perhaps "previously suggested password").

Yeah it took me quite a while to find out I was re-using passwords on a site, now I have to change them all. Very annoying. Just because I created multiple accounts on the same site should not make them all use the same 'securely' generated password. It may be securely generated, but it is not a secure password anymore if it is reused :S. What if my password is compromised and I must change my password and I use a 'securely' generated password again. It is not secure anymore it is compromised!!!. So this feature is really misleading and I would consider this as a security bug, not a normal bug.

Duplicate of this bug: 1812280
Depends on: 1820360
Duplicate of this bug: 1833022

Just because I created multiple accounts on the same site should not make them all use the same 'securely' generated password. It may be securely generated, but it is not a secure password anymore if it is reused

This bug and the two it depends on show that we agree this is a problem that could be improved, but creating multiple accounts on the same site in the same Firefox session is an extremely rare thing across Firefox users as a whole. But this could be common for a few who do specialized tasks like admin or testing work.

Duplicate of this bug: 1875841
Duplicate of this bug: 1893880

I strongly disagree with this statement :

multiple accounts on the same site in the same Firefox session is an extremely rare thing

For example, any time a site is compromised, it is necessary to change all passwords for that site. In the case of a mobile phone operator, it is extremely inappropriate to give the same password to multiple members of a family.

Use of the verbal forms "Suggest stong password" and then the nominal "securely generated password" is a clear indication that the 'new' password has indeed been freshly created/generated/suggested. If the UI said "Use the password suggested for this site xx hours/minutes ago", then there would be no problem. It does not say that.

While I agree that improvement is possible, it is improvement from a dangerous behaviour which encourages the user to apply insecure passwords, and should be treated as such.

Right now, I have zero confidence in the password uniqueness of a considerable number of existing accounts, and must re-evaluate my threat model to include secret recycling by my password manager. The many reports closed as duplicate, both of this and other related bugs, suggest that I am not alone.

You need to log in before you can comment on or make changes to this bug.