Closed Bug 222589 Opened 21 years ago Closed 17 years ago

Password manager only stores password plus one other field

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: pja, Unassigned)

References

(
URL
)

Details

(Keywords: regression)

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7 In Firebird 0.7, Password Manager only seems to store simple user-id/password combinations. If a password is associated with two other values (e.g. a user-id and a mail-server), only one value is remembered. I've looked at the signons.txt file to verify that the information is not stored. Reproducible: Always Steps to Reproduce: 1. Browse to http://mailreader.com/mr2/cgi-bin/nph-mr.cgi 2. Enter user-id, mailserver and password for a POP3 account 3. Select Yes when Firebird asks if you want to store details 4. Logout and return to http://mailreader.com/mr2/cgi-bin/nph-mr.cgi 5. Firebird should fill in the fields for you Actual Results: Only the mailserver and password are filled in; username is blank. Checking the signons.txt file confirms that the username (configLogon) was not stored. Expected Results: It should have stored both the username and mailserver along with the password. I've checked with a recent version of Mozilla (1.5), and this problem is not present. I first noticed it with the 0.7 release candidate; it worked with all previous versions of Firebird.
Summary: Password manager only stores password plus on other item → Password manager only stores password plus one other item
I can reproduce this with Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031016 Firebird/0.7+. Moving to password manager component and reassigning. I think I've seen a similar bug, but I can't find it right now.
Assignee: blake → bryner
Component: General → Password Manager
QA Contact: davidpjames
I'm sure I've seen something like this as well, but I can't seem to find it either (maybe it was in the forums?). Autocomplete doesn't kick in to fill out the username field either once you start typing it. Confirming until someone can find a dupe (if one exists). This is also a regression resulting from the password manager change.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Keywords: regression
OS: Windows 2000 → All
Whiteboard: dupeme
I've found it, it's bug 221842, but that complains about storing _too much_ items. It was reported with 0.6.1, e.g. before the password manager change, so it's probably worksforme now.
Whiteboard: dupeme
I suggest wontfix based on the number of dups bug 153986 got.
Jesse: How is this bug related to bug 153986? I can understand why you duped bug 221842 against it, but what relationship does either have to this one other than the fact that Steffen and I thought we had seen something with a similar summary? This one is about saving form info in more than two fields, that was about wrong info being presented in various fields (most notably at mozillazine.org).
Summary: Password manager only stores password plus one other item → Password manager only stores password plus one other field
I think this bug is the opposite of bug 153986, based on my knowledge of one instance of bug 153986 (mozillazine talkback). I could be wrong.
Firebird doesn't suffer from bug 153986 at the moment. I tested this with Mozilla 1.5 as well as with my Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.6a) Gecko/20031018 Firebird/0.7+ on Mozillazine talkback: Mozilla stores username, password and title. Mozilla doesn't display the "title" in its password manager, but if you revisit the site, it asks for the username to be used and then fills these three fields. On the other hand, Firebird only stores username and password. Storing additional fields might cause the behaviour of bug 153986. But this doesn't necessarily mean that we shouldn't do it (=wontfix); it only means we have to be careful to avoid bug 153986.
Regarding the last comment, it should be easy to avoid such a bug. By only remembering other fields that are not textboxes -- e.g. only the dropdown menu and checkbox on TD Waterhouse's login page -- remembering other fields will be a great, no-downside addition to Firefox. (People say they won't use newer versions cuz of blah blahs, but I'm still using Firebird 0.6.1+ because of this very issue. Not that I'm threatening anyone...)
bug 237656 could either be a dupe of this or this bug might block that one. Either way I think whoever might be looking at this one might want to look at that bug as well. (sorry, still trying to learn this whole bugzilla deal :)
I've just discovered that this bug is *not* present on current the Linux version of Firefox (0.91) i.e. Firefox successfully remembers and re-populates the contents of more than two fields. Is anyone actually looking into this?
Why hasn't this been fixed yet? It worked perfectly (inlcuding latest 1.7 version) in Mozilla; why not use their code?
*** Bug 270053 has been marked as a duplicate of this bug. ***
Still present in 1.0. Seems kinda silly to have this broken for so long, when Mozilla's been getting it right for so long. Possibly some more info: [Important background] I've just converted a profile from Mozilla 1.7 to Firefox 1.0. Moz's PM had saved the data for https://www.openair.com/index.pl (company name, user ID, and password). Moz had also saved the username and password for an IMAP mail server. After converting the profile and copying blah.s to signons.txt, and successfully using the PM on other sites, I found that FF only fills out the company name and user ID at openair.com. Interestingly, pulling up the Firefox PM shows that the openair.com site now had two entries instead of one. The second entry had the openair username and the IMAP password. (!) The main entry for the IMAP connection had of course been deleted, since FF isn't a mailreader. Some funky data corruption going on there.
This happens at the login page for www.cingular.com. They use 3 seperate text boxes for the username and one text box for the password. The 3 seperate boxes conform to the different parts of your phone number ie. area code, exchange and number. Firefox 1.0 only remembers the last box and the password box. Mozilla doesn't have this problem.
(In reply to comment #13) Confirming this behaviour. Mozilla 1.7+ has no problems with sites with more than 2 login fields (e.g. id number, login name and password), but firafox fails and mixes up data for different sites if one site has more than2 entries. I think its a rather serious data corruption issue. Migrating to firefox 1.0 from Mozilla can lead to data loss!
Suprisingly, copying Mozilla 1.7.5 password file to Thunderbird and looking at the stored passwords list this data corruption problem is completetly missing!! So I would suggest to check the password management code of Firefox against the code in Thunderbird.
Phil, Katona: the import corruption bug should be filed as a separate bug.
*** Bug 290762 has been marked as a duplicate of this bug. ***
*** Bug 291746 has been marked as a duplicate of this bug. ***
You can see this on sites which use multiple input boxes for the username https://www.aeroplan.com/en/home/index.jsp I'm a member of the above frequent flyer club - and have Firefox set to remember the password for the site. The problem is that the username (actually my card number) is split across three boxes - 123 123 123. Firefox will only submit the last three digits plus the password
*** Bug 306737 has been marked as a duplicate of this bug. ***
I have a similar but different case. https://onlinebanking-nw.bankofamerica.com/login.jsp?statecheck=WA This page has 1 username field but 2 password fields, which in Mozilla it works fine (after bypassing autocomplete=off) but in Firefox it only stores the first password.
*** Bug 327218 has been marked as a duplicate of this bug. ***
*** Bug 328819 has been marked as a duplicate of this bug. ***
Mass edit: Changing QA to default QA Contact
QA Contact: davidpjames → password.manager
*** Bug 319639 has been marked as a duplicate of this bug. ***
Assignee: bryner → nobody
Version: unspecified → Trunk
Another example - Second Life: https://secondlife.com/account/login.php?type=second-life-member&nextpage=/account/index.php Gets last name and password, but not the first name. Somewhat annoying. :-) Is there anyone to assign this bug to? It has 35 votes now . . .
This is still broken in 2.0b2 :( - what's so difficult in using Mozilla's code?
... and what about an option which allows saving everything but the password? Currently, FF saves all or nothing, where the "all" choice is a little bit insecure ;) ...
(In reply to comment #29) > ... and what about an option which allows saving everything but the password? > > Currently, FF saves all or nothing, where the "all" choice is a little bit > insecure ;) ... Good idea, but it's unrelated to this bug (I think?). File a new one (if it doesn't already exist) about this feature request. :)
In comment #29, please do s/saves/is supposed to save | would save if it worked/
--> WONTFIX. As earlier comments note, Mozilla Suite bug 153986 had lots of dupes because it was saving (and refilling) too many fields and causing problems. I don't see any good way to heuristically determine what extra form elements should and shouldn't be saved... Anything you do might be nice on a few sites, but would break other sites. This kind of functionality is best left to a 3rd party password/form manager. If a reliable algorithm with minimal UI can be demonstrated there, we might then revisit the issue.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Why not simply display a dialog on pages with more than two fields with the field names and a checkbox [Store], something like: What field do you want to store in password manager for this site/login? Prefix [X] Suffix [X] Password [X] Subject [X] Always do like this for the site [www.example.tld] [*.example.tld]
Why is this marked as WONTFIX? I see that the bug was marked as WONTFIX because of a similar, yet unrelated bug five years and three major versions ago. What is the procedure for removing the WONTFIX status? We have lists of websites that cannot be logged into, and we have solutions proposed.
Product: Firefox → Toolkit
If someone would help me I would love to fix this in an extention.
@Brian: I can help you beta test.
Brian, I will gladly help you test an extension, not sure what you have in mind but the solution proposed in comment #34 seems like a good way resolve it without having to get bogged down in heuristics. Looking at bug 472953 it seems that you might have a need to encrypt two passwords in some scenarios. Looking at the comments here and in the various bugs that are duped to this one, it seems that such an extension would be very well-received.
For an example of a website who's login form is two password fields (and therefore does not work with Firefox's password manager) see here: http://aleph.technion.ac.il/F?func=bor-info
(In reply to comment #43) > therefore does not work with Firefox's password manager s/Firefox's/Firefox's, Internet Explorer's, Safari's, Opera's, or Google Chrome's/, since the only one of those that tries to save anything is Chrome, and it only saves one, as a password with no username. (And that's probably not an accident, since libraries tend to think of privacy and public computers first (second, and third), and convenience on private computers later if at all. I look forward to seeing the extension's heuristic for telling a two-password login form from a no-confirmation password change form from a "okay, you gave your old password correctly, now type the new password twice" form.
@Phil: I have no idea what works and what is broken in those other browsers nor does it interest me, I don't use them. What does interest me is getting Firefox to be the best browser that it could be, with no regard as to what features are missing or bloating other browsers. If a problem is identified in Firefox what does it matter that some other web browser has a similar problem?
What about comment 33 and comment 36 ? Why is this a WONTFIX without even commenting on the proposed solution?
Why there is nobody working on it? IE 7 and even IE 6 did not had that password recognition problem. I changed to firefox due to the security advantage against IE, but I feel not good as a problem is well known since 2003!! and nothing happened to solve it.
(In reply to comment #49) > Why there is nobody working on it? While I appreciate your desire to have this implemented, the reason no one is working on it is that everyone working on Firefox is working on things they consider more important. If this issue is important for you, consider volunteering to design the implementation and write the code.
The amazing this is that this code already exists! Mozilla 1.5 and earlier did the trick ...
You need to log in before you can comment on or make changes to this bug.