Closed Bug 1874567 Opened 9 months ago Closed 8 months ago

Suggested "secure" password too short; should be a way to specify min length

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Version:
Firefox 121
Type:
defect

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: jberkus, Unassigned)

References

Details

Attachments

(1 file)

Pasted image.png
39.28 KB, image/png
Details
Attached image Pasted image.png

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:121.0) Gecko/20100101 Firefox/121.0

Steps to reproduce:

  1. Started to create a new online banking account.
  2. Had to create a UserID and password for the account
  3. Clicked on the password field and looked at FF's password suggestions

Actual results:

  1. The password suggested by FF's password manager was "58Tf" which was way too short for the rules of the banking site (as it should be)
  2. There was no way to change the minimum password length or ask FF to regenerate

Expected results:

  1. Firefox should have suggested a reasonable minimum length password (e.g. 8 characters)
  2. There should be a way for the user to configure this minimum length which overrides any metadata from the webform.

Given how the password suggestor works, I suspect that the bank's webform had some kind of bad metadata on the password blank that made FF think that 4 chars was the maximum length. Unfortunately, I had a time limit so I couldn't probe deeply enough into the JS for the page to confirm this. Since other mangled webforms exist, and will always exist, though, the obvious solution is to allow the user to set a minimum password length (and maybe other parameters) that overrides anything from the webform.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

The severity field is not set for this bug.
:serg, could you have a look please?

For more information, please visit BugBot documentation.

Flags: needinfo?(sgalich)

:jberkus thanks for letting us know of this problem, can you provide a link to that web page so we can investigate? If I remember correctly default rules have 12 chars per password, so that must be some sort of misconfiguration.

Flags: needinfo?(sgalich) → needinfo?(josh)

Unfortunately, I cannot. It was a private page for my corporate credit card access; there's no way for you to access it. And the interface was just for new accounts, so I can't go back to it either.

I do think it was something about the webform, though, because the password suggestor continues to work normally on other sites.

Flags: needinfo?(josh)

I see, unfortunately there isn't much we can do about it without seeing what's going on.
If you happen to be there again and capture HTML of that form/inputs (without personal data) - please attach it and reopen this bug. Thank you.

P.S. Linking Bug 1650312 for the idea to allow user to customize generated length.

Status: NEW → RESOLVED
Closed: 8 months ago
Resolution: --- → INCOMPLETE
See Also: → 1650312
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: