Closed Bug 266778 Opened 17 years ago Closed 17 years ago
show UI for timeout option on master password
User-Agent: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; rv:1.7.3) Gecko/20041001 Firefox/0.10.1 Once you enter a master password all passwords are filled in by the password manager for the remainder of the session, without prompting again for the master password. Only by quitting Firefox are restarting it is one required to re-enter the master password. In Mozilla there was an option to specify how often the browser prompted for the password. It appears that Firefox defaulted to a rather unsecure option and I think that the old mozilla options should really be included in FireFox as well. Reproducible: Always Steps to Reproduce: 1. 2. 3.
this might be a dupe, I'm not sure. The main reason we didn't implement that pref in UI, although its still supported, is that its redundant and more annoying than anything. If you're going to leave your PC unattended and you're concerned about security, a short timeout and a locked screensaver/workstation is a far better solution than app-specific timeouts. The main reason to have the master password is to act as a key for decrypting the passwords database, so that they're secure when the browser isn't open. Acting as a second layer of password protection is pretty user-unfriendly, a sufficiently secure password+OS should be fine.
Severity: normal → enhancement
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
Summary: there is no timeout option on master password → show UI for timeout option on master password
Kevin, in bug 1348274 you say "You can set an about:config pref to do this". As a first step, I would be satisfied with such a pref. But which one do you mean? security.password_lifetime is not honored by Firefox, according to bug 719705 and . So, if you mean that pref, then both bug 1348274 (for desktop FF) and bug 1350318 (for Fennec) are not duplicates of this bug here.  http://kb.mozillazine.org/About:config_entries#Security
There is an extension to install from https://addons.mozilla.org/firefox/addon/master-password-timeout-upd
Matthew, thank you, but this add-on will break in a few months with the switch to the WebExtensions API. In my bug 1348274, I already found a similar add-on that will also break then.
A recent LWN article about password managers (https://lwn.net/Articles/714473/) says that "the issue [with Firefox] is that browsers are generally always open, so the vault is always unlocked". And yes, my browser is sometimes open for weeks. This opposes Mike Connor's [:mconnor] arguments from 2004 in comment #1 for WONTFIXing this bug, where he said: > The main reason to have the master password is to act as a key for decrypting the passwords database, so that they're secure when the browser isn't open. Therefore I suggest to reopen it.
You need to log in before you can comment on or make changes to this bug.