Closed Bug 269138 Opened 20 years ago Closed 17 years ago

master password dialog shows up multiple times when clicking View Saved Passwords and cancelling the master password prompt

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
VERIFIED FIXED

People

(Reporter: steffen.wilberg, Unassigned)

References

Details

(first reported in bug 220214 comment 28)

The master password dialog keeps showing up when clicking View Saved Passwords
and cancelling the master password prompt.

Steps:
1. Have a master password set, and more than one password stored.
2. Make sure you're logged out of the Software Security Device by restarting
Firefox or clicking the Show Passwords button and cancelling the master password
prompt.
3. In the Privacy Options panel, click "view saved passwords".
4. Press cancel in security device prompt.

Result:
The master password prompt will appear again multiple times. You have to click
Cancel once for each password stored. After you have clicked Cancel that often,
an empty Password Manager appears.

Expected:
No additional master password prompts, and no Password Manager.
I can confirm this.
*** Bug 269787 has been marked as a duplicate of this bug. ***
Duplicate of bug 260296?
(In reply to comment #3)
> Duplicate of bug 260296?
No, I don't think so. This is a different problem. 

A problem with the Password Manager is that if a user sets a master password and
then forgets it (yes, I know it's stupid, but it can happen very often) there is
no way to remove/reset it (in 1.0+) without messing around with the profile
directory. This can be very confusing to users, especially since many of pages
google finds related to "firefox master password reset" are old and don't apply
to new versions of Firefox.

If they try to click on "View saved passwords" while in this situation they will
also be deluged by any number of such prompts, which is bound to shake their
confidence in how "great" and "stable" this Firefox is.

I propose a new tab on the "Password Manager" window that saves "forgotten
passwords". This way we can (relatively) safely allow a user to reset the master
password. The old passwords file would be saved and kept separate in a list,
together with the date it was reset on. This way, if the user remembers the
password or if someone else maliciously or mistakenly reset the password the
data can be obtained again, maybe even merged with the new database. (Of course,
an "attacker" could simply delete the profile directory, but that is a bit
harder for less computer-literated people).
*** Bug 300449 has been marked as a duplicate of this bug. ***
Hi.
Still here in 1.0.5
Eamon.
Confirmed on 2 counts.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7.10) Gecko/20050720
Firefox/1.0.6 (mmoy CE 1.0.6 K8B-X34)

and

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8b4) Gecko/20050822
Firefox/1.0+ BOBA CE
This should be part of bug 237610, where all password prompts were affected (but
it has also duplicates  for "View Saves Passwords" on firefox too)
I've got Firefox 1.5 beta 2.
I've lost the master password (Ooops /o\)
Same problem happens.
*** Bug 317508 has been marked as a duplicate of this bug. ***
Is bug 237610 description correct? because I tried on Firefox 1.5.0.1 (Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.1) Gecko/20060111 Firefox/1.5.0.1) and the dialog only appears 5 times, after clicking cancel for the fifth time, the dialog closes and a an almost empty Password Manager appears, the "Never save Password" tab is still populated.
I can confirm this behaviour in FF 1.5.

Also, if you click cancel say four times and then enter the master password correctly, you will be shown the password manager with four less passwords than there really are. Entering an incorrect password does not have this effect.

If you then leave the password manager and return you will be shown all of the passwords.
It appears that we are seeing multiple bugs, and not just on FF. I'm seeing something similar with regard to the multiple prompts under SM 1.5a (20060531) on OS/2. We should probably split this out into different bugs.

Bug 237610 comment 19 makes reference to entering the master password in order to view stored passwords. This bug references accessing stored passwords, as well, including what appears after finally getting in.

In my case, I thought that SM was simply not processing the password properly when starting up MailNews. What I have come to find is that there are indeed multiple stacked password dialogs and as I begin to type, more are getting stacked up, so that I may not be able to type fast enough (and click OK) to get the password submitted before another dialog is added to the top of the stack. This is the case whether I am trying to view stored passwords or simply connect to my mail server for the first time. It also happens consistently when (re)opening the browser to a previously saved tab which requires a login on the page (and when I have not previously - in that session - logged into the password manager).

Are these issues related, and should they indeed be consolidated into one bug, or should we create a meta-bug for overall tracking and split this into separate reports (I have not noticed any passwords missing upon logging into the password manager, but then again, I have over a hundred stored passwords, so it would be difficult to say).

Apologies if this appears as bugspam, but I'm trying to figure a good way to report this and clarify what seems to be getting a bit muddy.

Lewis

Mass edit: Changing QA to default QA Contact
QA Contact: davidpjames → password.manager
Assignee: bryner → nobody
Version: 1.0 Branch → Trunk
I noticed this in the 2.0 RC2.  I hit "Show Passwords" and tried to cancel when the master password window came up but it just kept popping up over and over.  No way to get out of that state other than to enter the master password.  When I finally did so a number of show password windows popped up.
If you try to press "Cancel", the dialog box will reappear as many times as there are saved passwords.  If you give up and finally enter the password correctly, it will fail to show the first n passwords, where n is the number of times you hit cancel.  If n = the number of stored passwords, I believe the Passwords window will appear anyway, but will not display any passwords.

Using Minefield/3.0a1-20061008, confirmed also on Firefox/2.0RC2
I actually thought that this problem had gone away in SeaMonkey, however, what I've found (I usually start SeaMonkey with MailNews first) is that when I have more than one account open (set of folders un-collapsed) which require login in order to check for new messages at startup, I am prompted with at least that many password requests. Naturally, as they stack one on top of the other, I may get the first two characters of my master password entered, and the second prompt will pop up on top of the first one, interrupting my typing. When I look up to click OK, the dialog box will then be missing the first two characters (entered in the box underneath/behind that one), and the attempt will fail, presenting me with yet another dialog to complete.

Currently, I'm using:

Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.9a1) Gecko/20060904 MultiZilla/1.8.3.0a SeaMonkey/1.5a

Lewis
Bug still alive in Firefox 2.0.

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1) Gecko/20061010 Firefox/2.0
I can also confirm that this bug is present in a recent version of Firefox 2.0

Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.3) 
Gecko/20070309 Firefox/2.0.0.3

This problem has also been reported in Bug 358617, which describes a second problem as well.

This bug can potentially result in data loss for people who have many passwords (I have around 100) saved and do not realize that it is possible to get out of the loop by clicking cancel 100 times. Therefore, I think this bug deserves a higher priority than normal. But that is just my two cents.
Status: NEW → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Oops, duped to wrong bug number previously.
Just an update, this was also present in 1.0, as seen here:
https://bugzilla.mozilla.org/show_bug.cgi?id=269138

This is not a dupe of bug 381164! It still happens with Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv:1.9b1) Gecko/2007110903 Firefox/3.0b1

With beta 1 I get an empty show password dialog when canceling the master password dialog (as described in initial comment). With Firefox 2 it's more acute and I have to hit cancel for any stored password which is frustrating if you have a huge amount of passwords stored.
Status: RESOLVED → REOPENED
OS: Linux → All
Resolution: DUPLICATE → ---
This issue in this bug was fixed by bug 381164.

The old password manager essentially did the decryption in a login object's getter, and the cancel action was only applied to the current operation. Triggering this from a loop (eg, "view all passwords") let to having to click cancel multiple times.

The new design decrypts all entries for the caller, and aborts if the user clicks cancel, so this problem is prevented.
Status: REOPENED → RESOLVED
Closed: 17 years ago17 years ago
Resolution: --- → FIXED
Justin, you are right. Sorry for reopening this bug. I was only fixed to the second case from comment 0. We still get an empty password manager when canceling the master password dialog. In that case it looks like all passwords are gone. Shouldn't the password manager dialog stopped from opening in that case? I could file a new bug if you agree and there is no already existing one.
Blocks: 381164
Status: RESOLVED → VERIFIED
No, I think that's intended design. If you don't enter a master password, we can't decrypt the data, so there are no logins to show. Perhaps we could invent some UI to explain what happened, but I think this is more of a case of "Doctor, it hurts when I do this... Then don't do that!" :-)
(In reply to comment #27)
> No, I think that's intended design. If you don't enter a master password, we
> can't decrypt the data, so there are no logins to show. Perhaps we could invent
> some UI to explain what happened, but I think this is more of a case of
> "Doctor, it hurts when I do this... Then don't do that!" :-)

From a developer point of view it can be right. But I think normal users will be irritated when no site and usernames are listed. Instead of leaving the user in such a situation and showing an empty window we should present a dialog like "Passwords cannot be shown until Master Password is given".
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.