Closed Bug 286969 Opened 20 years ago Closed 18 years ago

No warning message, when passwords are stored without a master password

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 352692

People

(Reporter: askwar, Unassigned)

References

(
URL
)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050227 Firefox/1.0.1
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.6) Gecko/20050227 Firefox/1.0.1

When a user stores a username/password combination on webpages (like
http://web.de/), Firefox does not warn the user about possible security
implications of this. The Mozilla Suite used to present a lengthy, informative
warning message.

It would be good, if this warning message would be shown by Firefox as well.
Especially the "simple" non-IT users of Firefox might be unaware that it's very
easy for an eavesdropper to "spy" out the passwords stored in Firefox (by going
to Preferences -> Privacy -> Saved Passwords -> View Saved Passwords -> Show
Passwords -> Yes), if the PC is left unattended.

As said, it would be good if there were a warning message, because if there were
one, the user would be informed - even if he chooses to ignore the warning
message and not even read it at all.

For a start, it would be good if this message would be shown at least once -
exactly like it is in the Suite right now. The better solution would be, if the
mesage would be shown ALL the time if username/password is stored *AND* no
master password is set.


Reproducible: Always

Steps to Reproduce:
Status: UNCONFIRMED → NEW
Ever confirmed: true
Mass edit: Changing QA to default QA Contact
QA Contact: davidpjames → password.manager
Assignee: bryner → nobody
Version: unspecified → Trunk
See also bug # 91916 Master password not required to be set when encrypting sensitive information

There is a lot of controversy around the Mozilla/Firefox Password Manager, and lack of security when storing signons without a master password.

Being prompted to set a Master Password should be the default, when first saving passwords. The recommendation in this bug to provide additional information (like Netscape 7.1/7.2), is an excellent way of educating users. The Change Master Password dialog even includes a password strength meter - if only users knew about it!

In enterprises where deployment is automated, there should be a preference to prompt for a master password.

In summary:
* prompt for the creation of a Master Password when a password is saved for the first time
* if not the default, at least allow a user pref, eg. signon.requestMasterPasswordSet, to flag that a user should be requested to set their Master Password at next password retrieval or setting
* review the Netscape 7.1/7.2 information to help users understand the importance of a secure Master Password.

reluctantly duping to a newer bug, but more people seem to be watching that one
Status: NEW → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.