Closed Bug 266778 Opened 16 years ago Closed 16 years ago

show UI for timeout option on master password

Categories

(Toolkit :: Password Manager, enhancement)

x86
Linux
enhancement
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: grudnick, Assigned: bryner)

References

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1

Once you enter a master password all passwords are filled in by the password
manager for the remainder of the session, without prompting again for the master
password.  Only by quitting Firefox are restarting it is one required to
re-enter the master password.  In Mozilla there was an option to specify how
often the browser prompted for the password.  It appears that Firefox defaulted
to a rather unsecure option and I think that the old mozilla options should
really be included in FireFox as well.

Reproducible: Always
Steps to Reproduce:
1.
2.
3.
this might be a dupe, I'm not sure.

The main reason we didn't implement that pref in UI, although its still
supported, is that its redundant and more annoying than anything.  If you're
going to leave your PC unattended and you're concerned about security, a short
timeout and a locked screensaver/workstation is a far better solution than
app-specific timeouts.  The main reason to have the master password is to act as
a key for decrypting the passwords database, so that they're secure when the
browser isn't open.  Acting as a second layer of password protection is pretty
user-unfriendly, a sufficiently secure password+OS should be fine.
Severity: normal → enhancement
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → WONTFIX
Summary: there is no timeout option on master password → show UI for timeout option on master password
Product: Firefox → Toolkit
Duplicate of this bug: 1350318
Duplicate of this bug: 1348274
Kevin, in bug 1348274 you say "You can set an about:config pref to do this".

As a first step, I would be satisfied with such a pref. But which one do you mean? security.password_lifetime is not honored by Firefox, according to bug 719705 and [1].

So, if you mean that pref, then both bug 1348274 (for desktop FF) and bug 1350318 (for Fennec) are not duplicates of this bug here.

[1] http://kb.mozillazine.org/About:config_entries#Security
Matthew, thank you, but this add-on will break in a few months with the switch to the WebExtensions API. In my bug 1348274, I already found a similar add-on that will also break then.
A recent LWN article about password managers (https://lwn.net/Articles/714473/) says that "the issue [with Firefox] is that browsers are generally always open, so the vault is always unlocked". And yes, my browser is sometimes open for weeks.

This opposes Mike Connor's [:mconnor] arguments from 2004 in comment #1 for WONTFIXing this bug, where he said:
> The main reason to have the master password is to act as a key for decrypting the passwords database, so that they're secure when the browser isn't open.

Therefore I suggest to reopen it.
You need to log in before you can comment on or make changes to this bug.