Closed Bug 222408 Opened 18 years ago Closed 7 years ago

implement master password timeout functionality + UI

Categories

(Core :: Security: PSM, enhancement)

enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: ostap, Unassigned)

References

(Blocks 1 open bug, )

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7

I can set the timeout value after "It has not been used for" but I'm missed the
button to "submit" the settings. 

Reproducible: Always

Steps to Reproduce:
1. go to the url chrome://pippki/content/pref-masterpass.xul
2. select the last radio button
3. enter the timeout
4. look for the submit button ;)
Actual Results:  
timeout settings are not stored

Expected Results:  
we expect a new timeout to be set

standard firebird 0.7 installation + Flash  + ?Acrobatreader6.0 plugin
This isn't supported yet. -> enhancement; all/all;
-> password manager, reassigning and confirming.
-> blocks bug 218694.
Assignee: blake → bryner
Blocks: 218694
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: Preferences → Password Manager
Ever confirmed: true
OS: Windows 2000 → All
QA Contact: mpconnor → davidpjames
Hardware: PC → All
Summary: can not submit master password timeout → implement master password timeout functionality + UI
*** Bug 261192 has been marked as a duplicate of this bug. ***
*** Bug 268298 has been marked as a duplicate of this bug. ***
*** Bug 304929 has been marked as a duplicate of this bug. ***
Mass edit: Changing QA to default QA Contact
QA Contact: davidpjames → password.manager
Assignee: bryner → nobody
Version: unspecified → Trunk
*** Bug 343043 has been marked as a duplicate of this bug. ***
wasn't this supported in earlier versions of Fx?
Don't think so: the prefs security.password_lifetime and security.ask_for_password are just used to set the values in the pref-masterpass window, and its handling script actually sets them internally in nsPK11TokenDB, so if you don't go through a working pref window that lets you call something like http://landfill.mozilla.org/mxr-test/seamonkey/source/security/manager/pki/resources/content/pref-masterpass.js#73 then you haven't actually set anything.
*** Bug 326755 has been marked as a duplicate of this bug. ***
Product: Firefox → Toolkit
We just had a user request this.
Ubuntu Bug:
https://bugs.launchpad.net/bugs/407615

Also, possible duplicate: Mozilla Bug 155739

There appears to be an addon as well for this:
https://addons.mozilla.org/en-US/firefox/addon/1275

But it seems reasonable to have this in the UI.
The add-on Micah mentions does not work.
Is this the right bug for master password reentering prompt after some inactivity period?
I have the same question. Suspect that 3.6.10 has incorporated "require password on return from sleep/hibernate. That's a good thing a good thing for laptop users (in case the computer gets stolen while asleep, but a pain in the neck for desktop users who live with their systems -- likelihood is that this will prove enough of a nusiance to turn off the master password). Make "forget password on sleep/hibernate" an option?
Duplicate of this bug: 503831
Component: Password Manager → Security: PSM
Product: Toolkit → Core
It's generally agreed among UX/Engineering/Product that we don't want to further develop the existing master password functionality, as it's a poor fit for current needs and our current direction in this area.
Status: NEW → RESOLVED
Closed: 7 years ago
Resolution: --- → WONTFIX
Duplicate of this bug: 383229
@Justin: are you implying that "master password" will be phased out or will be left alone in foreseeable future?
(In reply to Justin Dolske [:Dolske] from comment #15)
> It's generally agreed among UX/Engineering/Product that we don't want to
> further develop the existing master password functionality, as it's a poor
> fit for current needs and our current direction in this area.

Is there an alternative planned? Would you rather we have a password manager that is not at all secured?
Right now it asks again for the master password every single time you select 'show passwords' even if twice in 10 seconds.
The only issue is if you leave your computer unattended with Firefox running and the master passpharse has already been entered, someone can log onto your gmail etc... accounts without knowing your password.
This is mitigated by people running screen lockers and screensavers.
If the master password is relocked every 30 minutes, this still leaves Firefox able to log onto websites for 30 minutes which is actually longer than most screenlockers/screensaver timeouts. Many users will also thing "hmm...I just typed in the master password 30 minutes ago. this must be a bug".

KDE's kwallet relocks when the last application accessing the keychain closes which is analogous to Firefox requiring that you re-enter the master password every time you restart firefox and access a website that wants a password. You could make firefox lock the master password again when all websites/tabs that have requested a password are closed but it is not easy to tell the user that the keyring is in use/not in use/relocked without major UI changes.
You need to log in before you can comment on or make changes to this bug.