Open Bug 1999698 Opened 11 days ago Updated 10 days ago

Password alerts have no username

Categories

(Firefox :: about:logins, defect)

Product:
Firefox
Component:
about:logins
Version:
Firefox 144
Type:
defect

Tracking

()

Status:
UNCONFIRMED

People

(Reporter: aerilius, Unassigned)

Details

Attachments

(1 file)

Bildschirmfoto vom 2025-11-12 15-21-54.png
208.32 KB, image/png
Details

User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:144.0) Gecko/20100101 Firefox/144.0

Steps to reproduce:

I opened Firefox's password manager in order to check alerts.
It showed alerts in "Breached websites" and "Vulnerable passwords".
I selected the first item so that I can visit the website, login and change my password.

Actual results:

Firefox shows neither username (empty) nor the vulnerable password (empty). I am not able to identify the account that I have on that website because I have multiple accounts there. This issue affects not only this single item, but all items in "Breached websites" and "Vulnerable passwords" have no login information.

Expected results:

Just like items in the "No alert" category, they should show a username. If such information is not available from the data breach, an explanative information should be shown to the user, why such information is not available and what to do.

The current issue has the following consequences:

  • The user could think Firefox deleted the password from the password manager.
  • The user is left helpless about how to identify which account the alert refers to.

The Bugbug bot thinks this bug should belong to the 'Toolkit::Password Manager' component, and is moving the bug to that component. Please correct in case you think the bot is wrong.

Component: Untriaged → Password Manager
Product: Firefox → Toolkit

For some alerts, one or more entries exist also in "No alert" and those have a password. From these, one can determine the username(s).

The vulnerable entries without password/username showed a timeline bar at the bottom where the last "Used" date is very long ago (e.g. 2011).

When the same account is also listed in "No alert", its creation date is often after that date (e.g. 2022). Then I know that the alerted password wasn't used anymore.

It is not clear what Firefox actually checked against a data breach: The domain, the date (before a data breach), the login or also the password? I assume just the domain and maybe date, which means this false "password entry" without username and password was just meant as a notification to the user to take a closer look whether a password change is necessary. Lots of unnecessary confusion. It should have been clear what the message is.

Component: Password Manager → about:logins
Product: Toolkit → Firefox
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: