Disable "show passwords" feature

VERIFIED WONTFIX

Status

()

Toolkit
Password Manager
VERIFIED WONTFIX
14 years ago
8 months ago

People

(Reporter: Brian Ryner (not reading), Unassigned)

Tracking

unspecified
Future
Points:
---
Bug Flags:
blocking1.8b5 -

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: userChrome.css solution -- see comment 22)

Attachments

(1 attachment, 1 obsolete attachment)

1.74 KB, patch
Details | Diff | Splinter Review
(Reporter)

Description

14 years ago
Per aviary meeting a few weeks ago, we decided that "show passwords" without an
enforced master password (which we're currently avoiding) is just too prone to
casual password snooping if someone leaves their computer unattended.  We're
going to disable this feature with a pref for now and revisit it post-1.0.

(It's obviously trivial for an extension to enable this functionality or to
provide it even if we didn't have a pref.  The idea is simply to limit the
visiblity of this; unless you have a master password set anyone who has access
to your browser can get your passwords if they really want to.)
(Reporter)

Comment 1

14 years ago
Created attachment 159184 [details] [diff] [review]
patch

pref it off
(Reporter)

Updated

14 years ago
Attachment #159184 - Flags: review?(firefox)

Comment 2

14 years ago
Heh, it was you who reviewed my patch to add that button (bug 239241) :)

If someone really wants to steal the password - and who else would dare trying
to do that -, he can
- set your new pref to true
- set a master password, should we decide to enforce it and the user hasn't set
it himself already
- copy the passwords file and decrypt it at home
- just log in to any site using that computer and do harm to the user

So hiding/removing the button doesn't add that much to security. On the
contrary, having the Show Passwords mode tells the user to not leave his
computer unattended and unlocked, and by all means not store the password for
his online banking account.

I think we should encourage the use of the master password instead.

Comment 3

14 years ago
*** Bug 252080 has been marked as a duplicate of this bug. ***
One person has already stated at MozillaZine that he will not use Firefox as
long as he is incapable of finding the time to set a master password to protect
his passwords.

http://forums.mozillazine.org/viewtopic.php?t=143854

Unless the master password ideal is pushed _hard_, the risks associated with
someone getting the plaintext passwords from an unattended machine is quite
large IMVHO.
*** Bug 264346 has been marked as a duplicate of this bug. ***

Comment 6

13 years ago
The difference here is that Show Passwords can be done by anyone - the other
ways of showing passwords require a relatively very technically proficient user
to gain access to the machine.

This is IMHO a vast improvement.

Comment 7

13 years ago
it looks like this never made it onto the branch. weren't we supposed to take this?
Flags: blocking-aviary1.0+
(In reply to comment #7)
> it looks like this never made it onto the branch. weren't we supposed to take
this?

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.3) Gecko/20041024 Firefox/1.0
(daihard: P4/SSE2) has the Show Passwords feature. Whether or not it has
disappeared since the branch closure is something I can't verify yet.

Comment 9

13 years ago
This wasn't checked in yet. And I'm not convinced that we should hide this
feature, see comment 2.
How about the Show passwords button is disabled unless a non-null master
password is set?  Shouldn't hat keep everyone happy?

Comment 11

13 years ago
> How about the Show passwords button is disabled unless a non-null master
> password is set?
Then the attacker merely has to set a master password to enable the button. See
comment 2 :)

Comment 12

13 years ago
What about a password set dialog for the first time ff is run or the first time
a p/w is saved. This password could be spun as a reason ff is more secure.
Putting it in the installer would make large scale distributions hard.
Comment on attachment 159184 [details] [diff] [review]
patch

Doesn't just hiding it with a pref keep it pretty easy to get the passwords?
All you have to do is change the pref and then click the button.

Comment 14

13 years ago
(In reply to comment #12)
> What about a password set dialog for the first time ff is run or the first time
> a p/w is saved. This password could be spun as a reason ff is more secure.
> Putting it in the installer would make large scale distributions hard.

This should be either the first time a password is saved or at stored password
profile migration.

Comment 15

13 years ago
too late for this feature in 1.0,  should make the next release
Flags: blocking-aviary1.0+ → blocking-aviary1.0-

Comment 16

13 years ago
The show passwords feature could be disabled for 1.0 though, and then revisited
later.

Comment 17

13 years ago
This bug should be changed to include the Mozilla Suite and Thunderbird as well.
They are all affected products.

Comment 18

13 years ago
*** Bug 262413 has been marked as a duplicate of this bug. ***

Comment 19

13 years ago
*** Bug 251190 has been marked as a duplicate of this bug. ***

Comment 20

13 years ago
I've marked two Thunderbird bugs as dupes of this one. Unsure of how to change
the Product to include Thunderbird and Firefox. Should it be "Mozilla
Application Suite"? I haven't used the main Mozilla application in eons, so I
have no idea if it even has the "View Saved Passwords" button or the Password
Manager.
Flags: blocking-aviary1.1?
Blocks: 274889
*** Bug 286650 has been marked as a duplicate of this bug. ***
For those who must have this feature right now put the following in your
userChrome.css

dialog#signonviewer button#togglePasswords { display:none }
Whiteboard: userChrome.css solution -- see comment 22

Comment 23

13 years ago
I am unhappy with the resolution of Bug #259996, Show Passwords
Feature.  I want to be able to see my saved passwords but I do not
have, want, nor need a Master Password.

I agree with Additional Comment #10.  Do not disable Show Passwords
when the Master Password is null (has not been set).

I recognize Additional Comment #11 and agree that Master Passwords
should be encouraged for most system users.  However, I feel your
need for EVERYONE to have a master password is ill advised - it
presumes you, a provider of one application, can dictate for all
users. But I have one system, live alone, no one else has access to
this system, and I do enough testing, programming, and rebooting
that frequent reentering of a master password would be a time
wasting irritation.

Please reconsider!


I am currently running Win98 on a generic PC and using Firefox
1.0.3.


---
 John Windhorst  WFA Assoc  Minneapolis   johnwfa@mn.rr.com
I have yet to hear about someone actually victimized by this.  All this really
does is make casually stealing passwords slightly more time-intensive (log into
webmail, attach the passwords file, send, open in a different Firefox profile
elsewhere at your leisure).  I can probably do that in 30 seconds, and its
actually less obvious than snooping and writing down visually displayed passwords.

Stopping casual snooping only at the expense of removing a useful feature seems
like a losing proposition to me.  And if we're going to enable it with a master
password set, that only adds 10 seconds to the casual snooping timeframe (set
one, view passwords, remove the MP).  If we're really going serious about
forcing users to protect their passwords, we could force the MP on, with a
timeout.  But that'd annoy far too many people, so we don't do it.

Locking your desktop is possibly on pretty much any modern OS (though win9x you
have to be fairly astute to invoke the screensaver directly) and that's more
than enough to protect against casual snooping.

Updated

13 years ago
Flags: blocking-aviary1.1? → blocking1.8b4?
See previous comment, marking WONTFIX.
Status: NEW → RESOLVED
Last Resolved: 13 years ago
Flags: blocking1.8b4? → blocking1.8b4-
Resolution: --- → WONTFIX

Updated

13 years ago
Attachment #159184 - Flags: review?(firefox)

Comment 26

13 years ago
Do not just brush this under the table.

This is a significant security concern.  True, hiding the button that makes
password text visible is not sufficient, so instead the passwords should be
encrypted (to the mozilla master password) to prevent file copying.  

Here is a possible solution:
* Passwords should be encrypted to the master password, so copying prefs fails
* Passwords' text should always be off when you go into the password manager
* Pressing the "view passwords" button should ALWAYS require the master password

I am tempted to reopen this bug and rename it to say "Protect" instead of "Disable"

Comment 27

13 years ago
... forgot to address systems w/out a master password.  we could have an option
in which the master password is only used to view/maintain other passwords, or
we could just drop that on the floor; anybody with no master password is not
paranoid enough to care about this issue, so security falls to the filesystem
itself.
We're not going to force users to use a master password.  If they want to
protect their passwords, they can, but we're not going to force them to do so. 
If the passwords file is encrypted then the user is forced to enter the password
each session (so we can decrypt the contents of the file), so the idea of only
using it to view the passwords isn't possible.
I know this ain't the place to discuss, but leaving this feature seems stupid to
me. Other proposed schemes for stealing the passwords file are irrelevent, and
should have their own bugs filed. Adding a button to the UI that says, "Show my
passwords" is nothing like requiring a user to find a file, email it to a
separate computer and set up a separate profile on that computer to see the file.

That said, I think the feature should be removed entirely. There are safer, much
more secure ways for users to retrieve lost passwords (such as contacting their
email provider or keeping copies of them somewhere separate from their actual
email program).

Comment 30

13 years ago
I agree with wesley-johnston@uiowa.edu, this issue is too much of a security concern to simply brush 
off as "RESOLVED WONTFIX."  Many users, myself included, don't password their own computers, or 
supply a master password, but continue to use Firefox's "remember passwords" feature.  Therefore, 
anyone with sufficient motive could log onto my computer and steal all my passwords.  Now, 
admittedly, one could do that with the technique mentioned above, but that is a significantly more 
complex process which would, at the very least, require knowledge beforehand.  The "show passwords" 
button makes a security breach within the realm of even the most inept "hacker."

Updated

13 years ago
Status: RESOLVED → VERIFIED
(In reply to comment #30)
> I agree with wesley-johnston@uiowa.edu, this issue is too much of a security
concern to simply brush 
> off as "RESOLVED WONTFIX."  Many users, myself included, don't password their
own computers, or 
> supply a master password, but continue to use Firefox's "remember passwords"
feature.  Therefore, 
> anyone with sufficient motive could log onto my computer and steal all my
passwords.

Let me see if I'm understanding this correctly:
- you have passwords worth stealing
- your machine is physically insecure
- in a location with people who might want those passwords

yet you reject the security features provided for those cases (to whit: OS-level
locking, Firefox master password). That's just dumb, but if you really must be
saved the once-per-session typing of your master password you can apply the
userChrome.css provided in comment 22 and preserve your delusion of safety.

Comment 32

13 years ago
Another perspective: On Mac OS X, users expect programs to store their
passwords using an operating system facility called the keychain. Passwords
are stored securely by the operating system. When logging in to the
computer, the user provides their password, which unlocks the keychain. Or,
if the user has the computer configured to log in automatically, then the
keychain is automatically unlocked. In the Safari browser, if it has been
configured to store web site usernames and passwords, you can have it
display a list of usernames and the web sites to which they belong, but not
the passwords; to see those, you use the Keychain Access utility. Viewing a
password there requires that the user enter their keychain password.

On Mac OS X, I would want Firefox to store passwords in the keychain so as
to avoid the issues discussed in this bug. (Perhaps that needs to be a
separate feature request. Perhaps one has already been filed; I did not
check.) Do other operating systems on which Firefox runs have similar
facilities that could be used?

Comment 33

13 years ago
*** Bug 306602 has been marked as a duplicate of this bug. ***

Comment 34

13 years ago
(In reply to comment #32)
> On Mac OS X, I would want Firefox to store passwords in the keychain so as
> to avoid the issues discussed in this bug. (Perhaps that needs to be a
> separate feature request. Perhaps one has already been filed; I did not
> check.) Do other operating systems on which Firefox runs have similar
> facilities that could be used?

bug 106400
*** Bug 311054 has been marked as a duplicate of this bug. ***
*** Bug 313906 has been marked as a duplicate of this bug. ***

Comment 37

12 years ago
(In reply to comment #22)
> dialog#signonviewer button#togglePasswords { display:none }

This does not work anymore in Firefox 1.5.

Comment 38

12 years ago
*** Bug 352241 has been marked as a duplicate of this bug. ***

Comment 39

12 years ago
*** Bug 352692 has been marked as a duplicate of this bug. ***

Comment 40

12 years ago
presumably:
dialog#SignonViewerDialog button#togglePasswords { display:none }

would work. but it's still terribly silly.
Target Milestone: --- → Future

Comment 41

12 years ago
Responding to my own comment 26 and comment 27 ... it seems that firefox has had this behavior for quite a while; I go to Edit->Preferences->Privacy->Passwords, resize the options window so I can see the "View Saved Passwords" button, click it, and the two colums are "Site" and "Username."  Pressing the "Show Passwords" button pops up a dialog box for my master password, even though I have firefox set to request it once per session.  If I hide the passwords and ask firefox to show them again, it requests my password again.  Looks like this works for me.

Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8) Gecko/20051201 Fedora/1.5-1.1.fc4.nr Firefox/1.5

----

How does the password encryption handled?  GPG?  Enigmail seems to do a good job with PGP-key handling, perhaps that could be abstracted to general gpg-based keyless encryption (gpg -c), or else a dummy key could be created for this purpose.

GPG workaround for the extra-paranoid:  house your profile in /dev/shm (gets wiped on reboot), write a cron job that regularly encrypts the directory's content (sans cache) to a .tgz.gpg file, and write a wrapper script for firefox that decrypts it into /dev/shm on launch.  Or just remember your passwords ;-)

Comment 42

10 years ago
This issue needs to be revisited.  I strongly feel that this bug should be reopened and given immediate attention.

The "show passwords" button could make the life of a social engineer very easy.  The vast majority of Firefox users probably have no idea that their passwords are so readily available (I didn't until tonight, and I've been using Firefox since 2002 (Mozilla 1.0)).  All it would take for an attacker to gain access to passwords is to get somebody to log into their computer and then get them to leave the room or look to other way (assuming that the user doesn't have a master password, which they probably don't because they don't know the consequences).  

At the very least, it needs to be made painfully obvious to the user that passwords are so easily available.  I'd go farther than this, however, and say that this feature should be removed entirely because the security risks are much bigger than any potential benefit. 

Comment 43

10 years ago
I voted for this bug, but I'll try to explain why developers say won't fix.

If you don't have master password, your passwords are readily available anyway, as they are stored on the disk encrypted with known key, and simple program can decrypt it. In case of IE, there is such program (around 10 Kb), so with this program you can take all ones passwords when he is out without any problem.

The only real protection is to turn welcome screen on after screen saver, and all serious enterprises do this. Otherwise, all your documents are also readily available, and you probably have some more valuable documents than passwords.

Updated

10 years ago
Duplicate of this bug: 418238

Updated

10 years ago
Duplicate of this bug: 435818

Updated

10 years ago
Duplicate of this bug: 441877

Updated

10 years ago
Duplicate of this bug: 446537
(Assignee)

Updated

10 years ago
Product: Firefox → Toolkit

Comment 48

9 years ago
Four years on and it is still an issue.
If the lock on my front door isn't the very best on the market, I won't therefore just leave all my keys and the alarm code under the doormat!

Not all users need absolute, bombproof security.  I want to allow others to occasionally use my computer and Ff, without a list of passwords being READILY available for any newbie to view.  Sure, if they really want to steal passwords then they can read this page and discover how, but a lock isn't always to keep the dishonest out, but rather to help the honest stay honest.  

Seeing all a user's passwords can also assist a person to work out others: e.g.

Site              Password
Amazon.com        apple1
bookbuyer.com     bpple1
crumbsonline.org  cpple1
ebay.co.uk        epple1
Could you work out what my password for personalsite.net would be had you seen this list?

Answer: Protect the list with the master password, which must be created/entered in order to access the list (add/delete/view passwords).  Allow 'Use master password' to be a separately flaggable option.  This might even start to encourage users towards accepting 'Use MP' (which, largely, I don't think that I want or need).

Comment 49

9 years ago
I agree with Jack; if you were going out of town for a week, which would be more secure, leaving your front door wide open, or closing it without locking it?

The fact is, having a "show passwords" button making the user's passwords readily available simply doesn't make sense.  While someone could certainly get those passwords with sufficient effort, there's a world of difference between that and a button that just does all the dirty work for them.

I also agree that Jack's solution of having a mandatory master password to view the list would be acceptable; if not that, simply removing the ability show passwords at all would be sufficient.

Comment 50

9 years ago
One more voice in support of Jack et al.  It seems ridiculous that this is still an issue almost five years on.

I understand that disabling/protecting the "Show Passwords" button does not provide great security for one's passwords against attackers, but that is not necessarily what we are asking for.  We are asking for a way to protect a list of all our passwords in plain text available to any casual user within 6 mouse clicks.  A serious attacker could of course still get my passwords, but the entire world isn't divided into angels and serious attackers.  It's full of people, and people are not necessarily technically savvy or malicious, but they are pretty curious.  Even though I trust some people enough to let them use my computer occasionally, that doesn't mean I want to give them easy access to ALL of my passwords.

A pretty good middle ground has been proposed: require the master password only for accessing the saved passwords in the options menu.  Why is there so much resistance to such a modest proposal?  No, it won't protect me from determined attackers, but then again I'm not loaning out my computer to determined attackers, just the mildly curious.

Pretty please can we just have the fix?

Comment 51

9 years ago
I just noticed that the status of this bug is "VERIFIED WONTFIX" and the owner is "Brian Ryner (not reading)".  I'm sure there are many others who agree with the above comment (comment #50), but it may be that anyone in a position to affect change is not listening or in the loop.

I wonder how we might escalate the visibility of this bug or what it would take to get it fixed?  The reasoning given by Nemo (above) and by several others seems strong and the reasoning against this change, well, doesn't.

I just saw the numerous dups on this bug.  Usually that indicates to developers that *something* at least needs addressed.

Comment 52

9 years ago
Mike Connor gave an explanation as to why this was WONTFIX'd in comment 24. His reasoning is still valid, IMO.

If you really want to disable showing passwords, then see comment 22 where dveditz provides a solution. And if you really feel strongly about this bug, then why not write an extension that does this (I checked; there's not one).
Duplicate of this bug: 501297

Comment 54

9 years ago
I refuse to let this slide.

Sorry Adam, (comment 52) but Mike Conner's reasoning are based around how long it would take HIM to get my passwords by devious means.  I personally wouldn't be letting him use my computer unobserved.  That does not mean that no-one gets to use my computer; many of my friends may.  To return to the door analogy, that's like telling me how long it would take an accomplished lock picker to get past the light duty night latch  (there's a heavy duty mortice lock for when the house is empty, analogous to my computer being physically inaccessible to hackers).

(No offence Mike, but) Mike's analysis of the situation is not of the real world that most Firefox users inhabit, but instead is a trust free, paranoid version where everyone is either a complete angel or a serious attacker, as Nemo described in his astute post (Comment 50).  This is not my world... is it really yours?

Further the 'solution' in , Comment 22... that is the equivalent to throwing the keys away after locking the door on just the night latch.  You could rummage round the garden undergrowth until you found them, or a serious attacker could break straight in... That doesn't sound like a solution to me.  Is our approach to software development to privately cripple our own version whilst leaving it weak to attack; simultaneously leaving all other users highly vulnerable to the weakest level of attack?  The Master Passowrd system is not appropriate for most users and should not be promoted as an 'all this or nothing' option.

WON'TFIX is the worst possible decision here.  Please change the status or pass onto someone who understands how end users actually use and share their computers.

Although I say so myself, the solution proposed in Comment 48 is:
 - neat
 - has the advantage of improving and promoting the understandably underused Master Password*
 - would sit comfortably alongside the MP system
 - making Firefox more secure for ALL users (it would be like upgrading the night latch.
 - would be easy to understand for novice users
 - would be pretty tiny, code-wise
 - shouldn't contradict the needs expressed by a single poster on this page

* Which I prefer not to use, as with most other users apparently, as I'd have to tell people my MP to let them casually use my computer (as I understand it) which would then give them access to everything... hardly secure for real world, home and small business users!

Sorry, I would code it myself but my coding skills are non-existent as I concentrate on other skills like woodworking.  PLEASE! PLEASE! PLEASE, can this be properly addressed?  Let's not have a 5th birthday for this continuing problem.

Thanks, and appreciation to the coders,
Jack

Comment 55

9 years ago
I also refuse to let this slide.

I have about 100 plus users of thnuderbird in my environment and they do share their desktops, this is simply a loop hole for any body to take advantage. 

I enabled Master Password option and I have to re-enter it several times in a day ... which is quite irritating. 

If the status is going to be "VERIFIED WONTFIX", I will be looking for other options, not because of any lacking in the product but because of the unfair and unjustified attitude of the ones maintaining and developing it.

Thanks & Regards

Wajahat
I do live in a world which is somewhat binary, but not "angels vs. serious attackers" but "people I trust and people I do not trust."  If I don't trust a person to not snoop/steal passwords, I don't let them use my computer, or I have them use a Guest account (works on XP and up, most/all modern Linux distros, and OS X 10.4 and up).  Put frankly, you want security by obscurity, so that one specific class of users can be effectively blocked, while not protecting yourself against anyone who could read instructions off the Internet for which files to steal.  (Here's a nice step by step that took me 10 seconds to find online: http://blog.banditdefense.com/2009/03/16/stealing-firefox-saved-passwords/).  The illusion of security is not security, and killing a useful feature for the illusion of security is a non-starter.

If you're concerned about people stealing sensitive passwords, create another account for other users, use a Master Password, or don't let people you don't trust access your computer.  Locking the front door doesn't make you safe if the back door isn't locked.

Updated

9 years ago
Duplicate of this bug: 506900

Comment 58

9 years ago
While I agree that the show password feature is useful for most people and should not be hidden by default, there is a style for the Stylish extension called Hide 'Show/Hide Passwords' button at http://userstyles.org/styles/9499 that hides the show password button.  Using this extension is generally easier than editing the userchrome.css file.  For further security, the style can be renamed to something nondescript.

Comment 59

8 years ago
(In reply to comment #56)

With no offense, telling my friends to log into a guest account for using my computer for a couple of seconds or minutes is just ridiculous. And although I trust every single one of them, they probably have the largest incentive to check, let's say, my personal communication. Be it just for fun. And a password list just clicks away is quite a temptation.

Don't get me wrong. I see your point. But it is one thing to take a peek at your friends password list and a completely other thing to 

1. figure out how to locate and dis-encrypt a passord list,
2. plan the theft of the data from his or her computer and
3. perform that action.

Man, you are talking about quite some criminal intent, that hopefully nobody who ever uses my computer possesses!

Regards

Comment 60

8 years ago
Inappropriately 'Verified Nofix'.  Please change.  All interested parties please log in and vote for the bug.

Sorry, Bug 259996; I missed your 5th birthday.  Happy Belated Greetings my poor, neglected love.

This is still the very stupidest aspect of Firefox.  Famously secure browser?  My ****!

Please have someone look at it who understands the importance of 'causual environment security'.  I wish I had time to learn to code and just do this myself.  Can anyone produce a tiny add-on which password protects our passwords?  I used to code years ago, so I know it won't be hard to enable a secure PasswordPassword.  There you go, I've even come up with a brand name for the add-on.  Or call it CunningFox or something, I really don't care!

Please read comments 54 and 59 for reasons why guest accounts are not they way ahead ("Yeah, mate - of course you can use my browser for a couple of minutes; just wait whilst I log out then in as a different user.  You see, Firefox design demands that I don't trust you.  No offence."  "What do you mean, 'the hell with my friendship'?").

Please read comment 55 for reasons why Master Password doesn't handle this.

Comments 22, 24 and 43 fail to see the problem from any circumstance or perspective other than their own.  Unfortunately, that necessary perspective is that of the ordinary, casual, sociable, trustworthy, trusting, security conscious user.  It is such a small request.  PLEASE REVISIT.

Comment 61

8 years ago
I find it outstanding that this has been ignored.  I'm a regular Firefox user, but this is the most gaping flaw that has been bothering me ever since I started using Firefox. 

It seems apparent that the developers have never heard of phenomenon such as "Facebook rape".  I completely trust people to use my computer, but they might choose to do something that is essentially harmless (and in good taste) but still something I want to protect against.

I find that the "Show Passwords" feature mirrors this.  The argument of "security is not obscurity" is complete ignorance to real world users.

Why does Firefox display saved passwords in forms as stars/dots (*) at all?  Why not show all passwords in plain text?  By your logic, I vote that we disable replacement characters of entered passwords because it doesn't make it more secure.  It only delays the inevitable malicious nature of people intending to steal my passwords.

The fact of the matter is that security by obscurity IS effective, otherwise masked forms would not exist.  On top of this, other browsers such as Opera purposely do not have such an exposed feature to reveal passwords.

It still angers me how the argument is that "people you don't trust shouldn't be able to use your web browser".  If you're confident in the user's capabilities on a computer, why the hell not?  I should be able to restrict the viewing of my own passwords for MY OWN comfort.

That's the end of my rant.  I've voted for this issue.  I'd urge anyone else to vote for this as well.  I'm going to assume the majority of firefox users simply aren't aware of how easy it is to view saved passwords (I wasn't for a long time either).
Assignee: bryner → pcvrcek
Assignee: pcvrcek → bryner

Updated

8 years ago
QA Contact: davidpjames → password.manager
All this ranting is silly, IMO.
Mozilla products (such as Firefox) give users a choice.  
You may choose to:
- protect all your saved site passwords with a single "master password" 
that must be entered to reveal your saved passwords, 
- or not

If you choose not to protect your saved passwords with the protection 
mechanism that is available for this purpose, then you should not say that
Firefox provides no protection.  You should admit that you have chosen not
to use the protection that is provided, rather than demanding that Mozilla
take that choice away from all users.
QA Contact: password.manager → davidpjames
QA Contact: davidpjames → password.manager
Assignee: bryner → nobody

Comment 63

8 years ago
(In reply to comment #2)

> - copy the passwords file and decrypt it at home
> - just log in to any site using that computer and do harm to the user
 and by all means not store the password for
> his online banking account.
.

ok, the decrypt function is a huge security risk:  
surely firefox can find a method of encryption that isnt so easy to decrypt? im not familiar at all with the technology but that seems like a huge priority. IE all my passwords can be had by accessing a single file.

as for the 'master password' function, yes, i have show passwords OFF and have a master password. HOWEVER, for new users, firefox should, on install at least, ALWAYS prompt the user to create a master password!!!  it should also have a 'clear password list including master password' IE i have somehow gotten firefox to ruin my master password, and now no uninstall or reinstall will ever get my passwords back. (where is that file so i can delete it?)
Evan, don't believe every conjecture you read.  All the claims that files
can be decrypted offline are based on the assumption that the users choose
master passwords that are vulnerable to dictionary attacks.  

As for your question about forgetting your master password, google for 
these 4 words together:  reset firefox master password

Comment 65

8 years ago
Let's take a look at another browser for a second: Internet Explorer. It also allows storing passwords without having to enter a master password every time you use the browser. I am sure the pros among you would have absolutely no problem with locating and decrypting my IE password list - but, quite frankly, nobody I know would be able to do so.

Also, don't most operating systems provide a digital locker for passwords themselves? What about using these.
Duplicate of this bug: 580432

Updated

7 years ago
Duplicate of this bug: 587547

Updated

5 years ago
Duplicate of this bug: 797418

Comment 69

5 years ago
Just writing to express my support for abolishing the "show passwords" feature altogether. The situation right now is that Firefox has a security hole, affecting 99%+ of its users, which allows anybody with physical access to the browser to access stored passwords as plaintext. It's trivially discoverable, requires zero technical know-how, and can be performed in seconds (say, while somebody walks across the room to collect something they've printed).

The "master password" feature is not a solution. It's only going to be used by the intersection of (1) users who know it exists, (2) users who understand why it's necessary, and (3) users who are confident that setting a master password won't cause trouble for them in the future. That leaves a huge population of vulnerable non-technical users.

The only decent argument I've seen in the comments above is that somebody with access to your browser will already be able to wreak havoc by logging in to your web services using saved passwords; but there's a very obvious difference between "accessing the user's accounts once", and "getting permanent, secret access to several of the user's accounts within ten seconds". Users who are aware of the first issue may still be leaving themselves completely vulnerable to the second.

I feel the rationale given in Comment 24 is invalid. 10 seconds versus 30 seconds is a pretty big difference; despite what mconnor said, I believe the show-passwords dialog would appear fairly innocuous to an outside viewer (presuming that the malicious user is even being monitored by other people, which isn't guaranteed); and, most importantly, this vulnerability could easily be discovered by some random user with no technical knowledge, making it much more serious than the webmail-based alternative that mconnor described.

Comment 70

5 years ago
I just realized there is a show passwords button which reveals all my saved passwords, this is a big security leak. I'm sad but after years of being a fan of firefox I'll have to switch to IE, until this is changed, and I'll warn anyone who uses firefox about that.
Duplicate of this bug: 923598

Comment 72

3 years ago
I do understanding there's a trade-off between convenience and security, but this is appalling. If you do want to offer this feature, it makes more sense to disable it by default and not the other way around. 

If you do it in the reverse, at least they know that they've just opened up their passwords to casual snooping. You can also prompt users with a pop-up to warn users of the risk of enabling such feature and require their confirmation.

You can argue about giving users a false sense of security. In terms of minimise risk though, the less you are open, the exposure to security threats are also reduced. A non-tech savy person who happens to find out about this feature can easily get there hands on all accounts and passwords with practically no effort.

Seriously, you guys need to do much better than this. I've been using Firefox for over a decade now and I'm actually thinking of moving back to Internet Explorer because of this little, but not so little incident.
I see you won't fix this, for whatever reason, but please could you warn the user prominently.  

A solution would be, in the caption box that says "do you want firefox to remember this username and password?", please add "Warning: Because you do not have a master password set, all of the passwords that Firefox saves will be viewable in plain text by anyone who uses your Firefox account at any future time.  Click HERE for further details, and to see how to fix this problem."
I've  been using and trusting firefox for 5 years now and I'm shocked to just find out that all my passwords were so exposed in plain text.  I thought I had taken all responsible security precautions on my PC, but this has caught me by surprise and I'm ashamed I've been so fully exposed for so long.

Above blithe comments say "if you have such important passwords then why are you leaving your computer unattended?"  Well please note that everybody's passwords are valuable - if a hacker finds your central email password then they can change all your other passwords and lock you out from everything, and then start making on-line purchases at their leisure.  

It is reasonable to trust friends/colleagues and let them use Firefox for a short bit of web-browsing.  But passwords exposed to them in plain text is not to be expected and is not reasonable.

Please fix or at least warn the users that their passwords will not be stored securely.

Comment 75

2 years ago
I've just realized this, and it's shocking. I'm dropping thunderbird and firefox right now. Because of this all organizations should drop them too. Especially governmental ones. How can they pass security audits having this feature in their browsers and mail clients ?!?!?!
In reply to the advocacy comments posted since this bug was WONTFIXed then VERIFIED:

Can't you people realize that any "saved" passwords can be "recalled"? If I weren't yet retired, I wouldn't save any passwords on my office computer, except maybe "role" accounts shared with my colleagues.

Once passwords can be recalled they can be reused for whatever they are worth, be it (depending on the account, of course) debiting your bank account or signing bugzilla.mozilla.org comments, and that regardless of whether or not they can be made visible, which is what this bug is about.

The privacy of a password system has a scope much wider than this bug, and IMHO what it sums up is: Don't save any passwords except on a home computer shared with nobody else.

Comment 77

2 years ago
I want to hide "Saved Login " ( Check Screenshot) due to security issue before I am using

userChrome.css

dialog#signonviewer button#togglePasswords { display:none }

but currently it is not working. Help Urgent

Comment 78

2 years ago
I have this problem as well. Everyone who get access to my terminal can see my Owncloud Password since i synchronize my calendar.

What shocks me is that this problem is around since 2004.

@Tony Mechelynck: Yes the NSA typically can recall everything, but all my colleagues do not have access to my Unix password, even not our admin (at least i assume that). And that's what i would expect for the passwords here as well as soon as a master password is set for protection.
Comment hidden (spam)

Updated

a year ago
Flags: needinfo?(Dantheman1976)
Flags: blocking-aviary1.0-
The content of attachment 8817169 [details] has been deleted
Duplicate of this bug: 1363637
You need to log in before you can comment on or make changes to this bug.