Closed Bug 215213 Opened 21 years ago Closed 12 years ago

Password manager will not ask for Master Password before prefilling information

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows 2000
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED INCOMPLETE

People

(Reporter: corts1, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030624 Once the Master Password is set, Password Manager will fill in the username/password retained in Password Manager when accessing any website which has a retained username/password, without first asking for the Master Password. I have tried logging out of the Password Manager, changing or resetting and entering in a new Master Password, changing the setting when the Master Password needs to be provided (ie, once/session or everytime the username/password is needed). Even exiting and restarting Mozilla Browser after encountering the issue will not cause the Master Password to be requested before the username/password is prefilled. After a while, things with the Password Manager just start acting flaky -- websites prefilled with the username/password require multiple clicks on the "login" link/button before Mozilla will send the user/pass data. Resetting the Master Password (and not setting a new one) clears up the issue of requiring multiple clicks on links in the Browser. Reproducible: Always Steps to Reproduce: 1. 2. 3.
I've seen this in 1.7/1.7.1 as well. It never asks for the master password, regardless of the timeout setting.
Under 1.7.3, trying to protect against the security hole opened by "show stored passwords"... a) the use encryption option needs to be enabled to be enabled before the passwd manager will protect passwords b)the password manger will ask for the master passwd twice before submitting data to a website. (ie, netflix). once before it fills in the data, once when the user clicks submit. Desired behavior: a setting should exist where a master passwd is not required for website use, but is required to view stored passwords.
(In reply to comment #0) Same bug in linux, but only for some sites. See detailed bug report for firefox in debian bug tracking system (includes steps to reproduce): http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=243568 mozilla-firefox 1.0: passwords inserted without password manager
Product: Browser → Seamonkey
Assignee: dveditz → nobody
(In reply to comment #2) > Desired behavior: a setting should exist where a master password is not required > for website use, but is required to view stored passwords. This is crucially important. I happen to want to protect my passwords from being viewed in the options, but I do NOT want it to prompt me for my master password at every site that it happens to try and pre-fill the password field. That behavior is just extremely annoying, especially on sites like ESPN where the password field is on EVERY PAGE, and I don't always need to log in. Maybe have an option similar to the current behavior, but where it will prompt you for your master passwrd for pre-fill purposes ONLY when you physically click on the respective password field, and otherwise, leave it blank. That would keep the security feature of this option, but remove the annoyance factor that it breeds by prompting you before you are ready. This would be seamless to use. You would click the password field you want, like you were going to type in the password, and it would prompt you for your master password, you would type that, hit Enter, it would fill in the field with the stored password, and then you could hit Enter again to actually log in. But besides that possibility, we need a simplified version of this option that doesn't deal in protecting pre-fills at all, and just protects the view passwords feature in the options.
Might we create a new bug report regarding this in Firefox? I just realized this bug report is for the MAS, and is extremely old.
QA Contact: tpreston
Please re-try with current SeaMonkey 2.x or a supported Firefox version. If this still happens, this is a toolkit issue.
Status: NEW → UNCONFIRMED
Component: Passwords & Permissions → Password Manager
Ever confirmed: false
Product: SeaMonkey → Toolkit
QA Contact: password.manager
Status: UNCONFIRMED → RESOLVED
Closed: 12 years ago
Resolution: --- → INCOMPLETE
You need to log in before you can comment on or make changes to this bug.