Closed Bug 352692 Opened 18 years ago Closed 14 years ago

Inform users that saved passwords are not encrypted/secure (when master password is not used)

Categories

(Toolkit :: Password Manager, enhancement)

Product:
Toolkit
Component:
Password Manager
Type:
enhancement
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED WONTFIX

People

(Reporter: ganeshmani, Assigned: johnath)

References

Details

(Keywords: privacy, uiwanted, Whiteboard: [sg:want]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.0.6) Gecko/20060728 Firefox/1.5.0.6

Firefox shows the saved PASSWORDS in PLAIN TEXT to anybody who wishes to see them.

Very few users know about the MASTER PASSWORD feature and are at risk of losing all their important passwords to sneaky people.

So this "feature" is a major security threat to MILLIONS OF NAIVE FIREFOX USERS.

Reproducible: Always

Steps to Reproduce:
1.Go to Tools>Options
2.Privacy>Passwords
3.View saved Passwords>Show passwords 

Actual Results:  
You can see all the saved passwords!!!

Expected Results:  
All the users who dont know of the master password feature (and trust me there are many) should have a better method of protecting their passwords.

Firefox should ideally not reveal passwords in plain text so easily to anybody who wants to see them.
Summary: Security alert in passwords!!! → Huge Security Alert in Passwords!!!
Version: unspecified → 1.5.0.x Branch

*** This bug has been marked as a duplicate of 259996 ***
Group: security
Status: UNCONFIRMED → RESOLVED
Closed: 18 years ago
Resolution: --- → DUPLICATE
Before dupe-ing to WONTFIX bug 259996 (hide the "show passwords" button) I'd like to explore a different UI approach in this bug. CC'ing beltzner and mconnor and adding "uiwanted".

We WONTFIXed 259996 because it's a false sense of security: the convenient button goes away, but passwords are no less vulnerable to local access snooping. Why are the passwords vulnerable? because, as the reporter says, "very few users know about the Master Password".

So an alternate approach might be to *teach* people about it. What if the "Save Password" prompt itself announced the insecure state? So if there's no Master Password, the prompt adds a line

    Do you want Firefox to remember this password?
    [Please create a Master Password to secure your saved passwords]
       or maybe
    [Master Password not set, passwords not encrypted]

If you've got a master password you get either the plain prompt as now, or we could affirmatively add

    [Master password in use, passwords saved securely.]
      (or "passwords secure" or "passwords encrypted")

I raise this because ganeshmani's freak-out is a common occurance when people discover the default insecure state. Apparently most people who don't read the help (and _no_one_ reads the help) assume that since Firefox has a reputation as "safe" we can also do magic keyless cryptography on saved passwords.

The old suite had a one-time wordy warning dialog about obscuring vs. encrypting that was in theory supposed to help, but people blew past that or never even got it if they weren't the first user. I do *not* want that type of solution. I want a state indicator/reminder every time that prompt comes up. I'd be happy to be more subtle than my suggestions if you can come up with something, but we're currently severely limited in what we can do because we use the prompt service for embedding reasons. Anything fancier and we'd have to write a custom dialog and still fallback to the prompt service for the embedding case.
Status: RESOLVED → UNCONFIRMED
Keywords: uiwanted
Resolution: DUPLICATE → ---
Summary: Huge Security Alert in Passwords!!! → Inform users passwords are not secure
Interesting idea.  The dialog is already kinda big, but I could imagine adding something to the effect of "Firefox does not encrypt saved passwords [learn more]".

I'd rather not point users toward the Master Password feature as if it is the only solution.  OS-level locking (perhaps combined with OS-level file encryption) is better for many users, IMO.  Perhaps a "learn more" link could describe both OS-level locking and the Master Password feature, and let users decide whether they want to use one or the other or neither?

OS-level locking:
* Enter your password each time you start using your computer.
* You can easily lock the computer as you leave by pressing Start+L.
* Makes it much harder to install keyloggers.
* The dialog in which you enter the password cannot be spoofed, thanks to Ctrl+Alt+Delete.
* Can be combined with per-folder encryption.
* Protects not only your web passwords, but also your history (which may reveal porn surfing), cookies (which may allow access to webmail), non-browser documents, etc.

Firefox Master Password:
* Enter your master password each time you use a saved web password (but not more than once in a 5-minute period).
* Having your web passwords encrypted is good if your computer is stolen.
* Can be defeated by keyloggers.
Severity: critical → enhancement
Status: UNCONFIRMED → NEW
Ever confirmed: true
OS: Windows XP → All
Summary: Inform users passwords are not secure → Inform users that saved passwords are not encrypted/secure (when master password is not used)
Version: 1.5.0.x Branch → Trunk
(In reply to comment #3)
> Interesting idea.  The dialog is already kinda big, but I could imagine adding
> something to the effect of "Firefox does not encrypt saved passwords [learn
> more]".

I'd prefer, instead of a button, the "learn more" link, perhaps with less scary text. "Secure your passwords. [learn more]" for example.  I agree that both OS and Firefox security models should be explained.  It a great way to educate user about overall security of all their data.
"Secure your passwords. [learn more]" sounds great.
Keywords: privacy
Whiteboard: [sg:want]
Johnathan, is this something you want to look at?
Flags: blocking-firefox3?
Clearing blocking flag, johnath, let me know if you think this is serious enough by re-noming! :)
Flags: blocking-firefox3?
re-nominating for 3.next -- we still regularly get people freaking out when their friends and co-workers can bring up their password list with a couple of clicks, and millions more storing critical data like bank passwords blissfully unaware that there's a more secure option or how easily anyone with a few seconds access to their machine could view them or copy the unprotected files onto a USB stick.

People _assume_ the passwords are safe, because we're Firefox and have a reputation for security. It's quite disillusioning for some people, and it's no fair blaming them for not using a feature they didn't know existed.

A gentle nudge with a link to on-line help is all I'm asking for :-)
Assignee: nobody → johnath
Flags: blocking-firefox3.1?
Educating users is always a tricky way out of a security problem, but in this case I think a gentle nudge linking to online help isn't a bad idea. With things like bug 369963 I'm a little hesitant to get everyone on Master PWs, but even still, they are far better than not having them.

I actually don't know how much pain it would be to add a link to that notification bar - we don't do it elsewhere, and adding the function as a fourth button seems like it would really crowd the UI.  I guess we could just add the link inline with the l10n string, but that seems kind of icky.  The API for showing a notification bar just takes a severity, string, and an array of buttons though, so this is going to end up hacky, unless we write new API for it (also hacky.)

Do we at least have the SUMO page link somewhere, for playing?  :)  Does it exist?

IMO this doesn't block firefox3.1, but it's a nice to have, and if there is a reasonably clean way to introduce some link text into the notification, could be an easy win and a nice way to use SUMO.

I'll leave this one assigned to me for the time being, but I've been asked to spend some time with the mobile group for a while, so I am not actively working on this bug.
Product: Firefox → Toolkit
As per comment 12, not blocking for 3.1
Flags: blocking1.9.1? → blocking1.9.1-
blocking2.0: --- → ?
Nothing seems to have changed since we decided not to block 1.9.2 on this so I don't know why we'd now block 1.9.3 on it.
blocking2.0: ? → -
One difference is that Firefox 4 has a broader scope of the kinds of UI changes we're willing to take than either 3.1(3.5) or 3.6 were. And if we don't block on this it will be forgotten about again. Re-noming for 1.9.3: I'd like one of the UE folks to say we don't want it if you don't mind.
blocking2.0: - → ?
The master password user experience isn't really something I want to advocate. If we want to make that better, we should, but there's no way we're going to recommend that users employ the master password until bug 177175 is fixed, which itself it really dependent on bug 499233

In other news, I think the better approach is solutions like bug 106400 or even bug 496660.

Finally, I'm pretty convinced that this is WONTFIX and am resolving as such. The solutions here are (in order or preference!):
 - create a by-default secure password store (bug 106400, bug 496660)
 - improve the Master Password experience and require use of a master password (bug 177175 and some ui design needed) the first time a password is saved

I'll note that the second option there is only slightly different than what's being requested here, but I think the difference between "first time use" and "every time use" is pretty important.
Status: NEW → RESOLVED
Closed: 18 years ago14 years ago
Resolution: --- → WONTFIX
blocking2.0: ? → ---
You need to log in before you can comment on or make changes to this bug.