Closed Bug 267808 Opened 20 years ago Closed 20 years ago

NTLM passwords are exposed in password manager

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WORKSFORME

People

(Reporter: sbarton, Assigned: bryner)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.5) Gecko/20041103 Firefox/1.0RC2

The recent releases (1.0PR +) include the new password manager, which displays
in clear-text, saved passwords. The passwords which can be displayed include
NTLM passwords. They can be hidden using a master password, but whenever trying
to connect to a NTLM authenticated site, the user must enter the master password
first. For those of us trying to bring Firefox into corporate intranets, these
problems are show-stoppers. Suits want seamless authentication. A dialog box the
first time you visit a site, with the option of saving the password, is OK
because subsequent visits simply require a click. However, having NTLM passwords
exposed in clear text will not fly with the info security guys. On top of that,
forcing non-technical users to enter a master password, and then forcing them to
use it every time they visit a site, simply will not pass muster with the
non-technical corporate management types. If you want to penetrate corporate
intranets, you must make NTLM authentication and password management more secure
and more user-friendly.

Reproducible: Always
Steps to Reproduce:
1. Visit a NTLM authenticated site
2. Save the password in the password manager
3. Enter the password manager and view the NTLM password in clear text
4. Enter a master password
5. Visit a NTLM authenticated site
6. You are forced to enter the master password

Actual Results:  
I was shocked that I could see my NTLM password, followed by dismay that I could
not now include Firefox as an alternative browser on my corporate desktops. I
was disheartened to see that to I had to enter the master password when I
visited a site. This kills it for most corporate intranet users.

Expected Results:  
NTLM passwords should never be visible in clear-text. Users should not have to
enter the master password when visiting a site that uses a saved password.
>1. Visit a NTLM authenticated site
>2. Save the password in the password manager

this sounds like you were indeed storing your password in the pw manager. that's
quite different from single signon.

if you want to automatically transmit your windows logon information (unviewable
in pw manager), you can set a pref for that. I believe that's
network.automatic-ntlm-auth.trusted-uris.
Based on comment below explaining the use of the
network.automatic-ntlm-auth.trusted-uris directive, this bug can be considered
resolved.
Status: UNCONFIRMED → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.