Closed Bug 1830996 Opened 2 years ago Closed 2 years ago

about:logins master password does not lock search

Categories

(Firefox :: about:logins, defect)

Product:
Firefox
Component:
about:logins
Version:
Firefox 112
Type:
defect

Tracking

()

Status:
RESOLVED DUPLICATE of bug 1608687

People

(Reporter: johannes.derrer, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/112.0

Steps to reproduce:

I opened about:logins and searched for a password.
As expected I got the only result with that password without needing to enter the master password.

Actual results:

The search bar in about:logins shows results for passwords without asking for a master password

Expected results:

The search bar should not search for passwords without asking for a master password.

johannes.derrer thanks for sharing your concern with us. Did you enter primary password after opening about:logins? It is asked only once after the browser restart. If you just set primary password, you'd need to restart browser to be prompted.

Flags: needinfo?(johannes.derrer)

Ok you are right, directly after opening the browser it is not possible to open about:logins without a master password.

But if the browser stays open for hours it still is possible.

Then I guess it is a feature request to have a timeout on the login for the about:logins page.

Flags: needinfo?(johannes.derrer)

Yeah, I hear you. For primary password to be of any real use it has to have locking mechanics and memory scrubbing. This is a duplicate of bug 1608687.

If you don't mind, what is the reason for you to use the primary password?

Group: firefox-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Component: Untriaged → about:logins
Duplicate of bug: 1608687
Flags: needinfo?(johannes.derrer)
Resolution: --- → DUPLICATE

For securing the passwords in my browser. Mainly because if it is not used the passwords are saved in cleartext on the pc and could be read by anybody/any programm that has access to my home folder.

Also the main reason why I switched to firefox from chrome since chrome does not provide any way of encrypting your passwords on linux.

Flags: needinfo?(johannes.derrer)

Even without primary passwords your logins are encrypted and the key is stored as "Firefox Encrypted Storage" in OS keystore (Passwords & Keys on Linux, Credential Manager on Windows and Keychain on MacOS).

Just a word of caution: if anyone can get to your unlocked device, they can install an app to steal your data after you unlock whatever browser or password manager you are using.

Ah good to know. This wasn't the case a few years ago if I remember correctly.

  1. Of course this is possible, but it isn't as easy.
You need to log in before you can comment on or make changes to this bug.