Open Bug 232050 Opened 21 years ago Updated 13 years ago

Option to See Master Password

Categories

(SeaMonkey :: Passwords & Permissions, enhancement)

Product:
SeaMonkey
Component:
Passwords & Permissions
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
REOPENED

People

(Reporter: david, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113
Build Identifier: Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.6) Gecko/20040113

On the Prompt popup for entering my master password, provide an option (via a
checkbox) for me to see the password I am entering.  This checkbox should always
appear unchecked (hide the password as asterisks), thus requiring the user to
invoke the option each time the master password is entered.  

Reproducible: Always

Steps to Reproduce:



Expected Results:  
If I don't select the checkbox, the master password should appear as asterisks
(as now).  If I do select the checkbox, I should see exactly what I am typing.  

If I am working alone (where no one can observe what I type), I want to see what
I am entering as a master password.  This option would allow me to catch any
typo while entering the password.   

PGP has such an option on its popup for entering a "pass phrase".  This too is
an option that must be invoked every time the popup appears.
Today, I had to enter my master password four times before I got it correct.  I
just could not see my typos.
Product: Browser → Seamonkey
This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

Mozilla/5.0 (Windows; U; Win98; en-US; rv:1.7.12) Gecko/20050915

I still consider this a very useful enhancement.  The justification as
originally stated in the Description is still valid.  

Almost every day, there is at least one session where I have to retype my master
password, sometimes three or four times, because I "fat fingered" when typing. 
My master password is not a single word; it's a phrase with spaces and
punctuation.  If I realize that I mistyped, I have no idea how far back to erase
to correct it.  Instead, I have to blank the input area and start from the
beginning.
Assignee: dveditz → nobody
I believe this is an unacceptable from a security perspective.  I understand why you want it, but would recommend against adding it.  You could always type your password somewhere else and copy/paste it...
I am merely requesting the same capaiblity for the Password Manager that is given by PGP when inputting my passphrase.  

When I go to sign or decrypt a message or file or decrypt with PGP, the dialogue popup contains a checkbox that is initially checked.  The box is labeled "Hide Typing".  I have to clear the checkbox to see the cleartext of what I type as my passphrase.  If I go to sign or decrypt again seconds later, the checkbox is again checked.  The default is thus safety: hiding what I type.  

How is it unsafe for me to see my master password when I type it, if I am in my office at home (on the 2nd floor) and no one else is at home?  Let me be the judge of my safety, especially if the default does indeed hide my master password.  
a minor flaw - if one were to type full or partial password and walk away without committing it, someone else could then expose the pwd. 

But that's minor IMO, sorry, to what I feel would needless UI.  And there are many workarounds for fat fingers (and poor memory), which is what you propose this would fix.
The only suggested workaround is to copy and paste the master password from some other file.  My master password exists only in my head.  Putting it on my PC so that I could copy and paste it would create a risk orders of magnitude greater than what this enhancement would provide when I am home alone:  an option to expose the master password in cleartext.  
We're really, really unlikely to do this. If you really want this functionality I recommend hanging out on irc.mozilla.org and finding someone you can interest in hacking up a small extension to do this -- just overlay commonDialog.xul to read a pref and change "password1Textbox" to type text, or do it always, or even go as far as you suggest and add a checkbox.

The popularity of such an extension might influence our notion of whether the feature is worth the dialog clutter.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Thanks to Daniel for his exact description.

With this it was not very hard to code the extension:
https://addons.mozilla.org/thunderbird/addon/6143/

@Developers: Would you please review the code and leave a comment to reassure the users...
@Daniel,

if you suggest to not include this for everyone, you should consider to set the status to WONTFIX.
Please leave this RFE open (not WONTFIX) at least until after there has been a peer review of the extension.  
This isn't the place to request such a review, and if you have trouble entering your passphrase, why not enter it in another program (like a text editor) and paste it into the dialog?
The extension cited in comment #9 is not the same as the one you sent me to try.  The comment #9 version does NOT work with SeaMonkey and has different MD5 and SHA1 hashes.  
Oops!  

I forgot to terminate and restart SeaMonkey after installing the extension.  It does work.  I feel stupid.  
I now have minor disabilities in both hands, affecting my thumbs and middle fingers.  Those fingers do not always work the way I want them to work, including typing passwords.  Thus, this RFE is even more important to me.  

The extension Show Password On Input (current version 0.1.1 at <https://addons.mozilla.org/en-US/firefox/addon/6143/>) meets all my requirements and expectations.  While I don't generally believe bug reports should be closed merely because of the existence of an extension, I would make an exception in this case.  

However, the extension is still in "sandbox" (experimental) status.  Until it is promoted for general (non-experimental) use, this bug report should remain open.  

(In reply to comment #15)
> The extension Show Password On Input (current version 0.1.1 at
> <https://addons.mozilla.org/en-US/firefox/addon/6143/>) 
> [...] is still in "sandbox" (experimental) status.  Until it
> is promoted for general (non-experimental) use, this bug report should remain
> open.  

I started nomination for public acces at least twice, but the editors were always complaining about too few reviews!
So it's up to you all to write reviews for this extension. Maybe someone can give me some advice how to persuade the editors to make this addon public...

I would even agree if someone else would like to publish it as "his own" to make it public on AMO - please contact me in this case to remove it as "my" addon.
The SeaMonkey team will not fix this.
Status: NEW → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
Giermann's extension had 12,287 downloads.  Then with Firefox 4 and SeaMonkey 2.1, it was broken -- incompatible.  See comment #15 regarding why this is an accessibility issue.  Thus, I am reopening this RFE bug report.  

See Jakob Nielsen's "Stop Password Masking" at <http://www.useit.com/alertbox/passwords.html> for further justification for this RFE.  Nielson is a professional consultant on Internet useability issues.
Status: RESOLVED → REOPENED
Resolution: WONTFIX → ---
Giermann has updated his extension to v.0.1.4, which works with SeaMonkey 2.1RC1 and likely with Firefox 4.  However, the new version is not yet available through addons.mozilla.org.  This merely illustrates why extensions are not the best way to implement very desirable features:  They must be updated post hoc when interfaces change instead of being kept current with their interfaces.
Today I received the Review-Response; it should be available to public now.
Note that the Show Password On Input now requires an AMO override for compatibility with current versions of Mozilla-based products.  That would not be necessary if this RFE were implemented.
You need to log in before you can comment on or make changes to this bug.