Closed Bug 286969 Opened 20 years ago Closed 18 years ago

No warning message, when passwords are stored without a master password

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 352692

People

(Reporter: askwar, Unassigned)

References

(
URL
)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050227 Firefox/1.0.1 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050227 Firefox/1.0.1 When a user stores a username/password combination on webpages (like http://web.de/), Firefox does not warn the user about possible security implications of this. The Mozilla Suite used to present a lengthy, informative warning message. It would be good, if this warning message would be shown by Firefox as well. Especially the "simple" non-IT users of Firefox might be unaware that it's very easy for an eavesdropper to "spy" out the passwords stored in Firefox (by going to Preferences -> Privacy -> Saved Passwords -> View Saved Passwords -> Show Passwords -> Yes), if the PC is left unattended. As said, it would be good if there were a warning message, because if there were one, the user would be informed - even if he chooses to ignore the warning message and not even read it at all. For a start, it would be good if this message would be shown at least once - exactly like it is in the Suite right now. The better solution would be, if the mesage would be shown ALL the time if username/password is stored *AND* no master password is set. Reproducible: Always Steps to Reproduce:
Status: UNCONFIRMED → NEW
Ever confirmed: true
Mass edit: Changing QA to default QA Contact
QA Contact: davidpjames → password.manager
Assignee: bryner → nobody
Version: unspecified → Trunk
See also bug # 91916 Master password not required to be set when encrypting sensitive information There is a lot of controversy around the Mozilla/Firefox Password Manager, and lack of security when storing signons without a master password. Being prompted to set a Master Password should be the default, when first saving passwords. The recommendation in this bug to provide additional information (like Netscape 7.1/7.2), is an excellent way of educating users. The Change Master Password dialog even includes a password strength meter - if only users knew about it! In enterprises where deployment is automated, there should be a preference to prompt for a master password. In summary: * prompt for the creation of a Master Password when a password is saved for the first time * if not the default, at least allow a user pref, eg. signon.requestMasterPasswordSet, to flag that a user should be requested to set their Master Password at next password retrieval or setting * review the Netscape 7.1/7.2 information to help users understand the importance of a secure Master Password.
reluctantly duping to a newer bug, but more people seem to be watching that one
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.