Closed Bug 38518 Opened 25 years ago Closed 25 years ago

saving everything, except password

Categories

(Toolkit :: Form Manager, enhancement, P3)

Product:
Toolkit
Component:
Form Manager
Type:
enhancement

Tracking

()

Status:
VERIFIED INVALID

People

(Reporter: andre, Assigned: morse)

Details

What about saving everything except the password. Currently there are only the options to save everything or nothing. But if I think it´s insecure to save both password und username, mozilla could save everything except input fields with type=password - an additional button or a small checkbox would be fine.
It's not insecure if you use encryption. Whether or not to use encryption is a choice that is up to the user. And why are you more concerned about the security of password fields than about a non-password input field for your credit-card number or your social security number?
Status: UNCONFIRMED → RESOLVED
Closed: 25 years ago
Resolution: --- → INVALID
agreed
Status: RESOLVED → VERIFIED
agreed too :) my thought was, that I´ve to enter user/password combinations at many sites, me, I´m remembering most of the passwords without writing them down, I just have to look for the correct user IDs and Names...
From Andre's last comment, it sounds like there's a confusion here between autofill (a.k.a. wallet) and single-signon (a.k.a. password manager). This bug was filed against wallet but from his last comment I think he is referring to single signon. In which case my comments about the social-security and credit-card fields won't apply but my comment about encryption is still applicable. For the record, here are the major difference between wallet and single-signon: Single signon saves data for a particular form and prefills that form when the site is revisited in the future. It does not prefill those values on a form from any other site. Wallet saves generic data from one site and attempts to prefill it on forms that it encounters from other sites. Single signon is active -- whenever you submit a form a pop-up appears asking if you want to save the values, and when you visit a site you automatically get the values prefilled for you. Wallet is passive -- you have to give an explicit command to capture the values and another explicit command to have values prefilled for you.
You´re right, I touhgt of the password manager (I never used the wallet, and I think I´ll never use it (revisist-opionen: 30 days) - but single signon enters both public (user ID etc) and private data (passwords etc.), a nice feature would be if I could decide only to fill out those forms completely where no sensitive data is submitted / I´m mainly concerned about the local security, when non-password field with credit-card number would be expected to enter I wouldn´t enter, but the local security is important, if a) computers are shared OR b) if someone looses his notebook :( OR c) somebody has acces to your computer (eg. in a firm) event it´s your own notebook - the win2000 password shouldn´t hinder anybody to enter win2000 and I don´t know how the passwords are stored internally in mozilla, mozilla didn´t prompt me to enter my master password for weeks now, isn´t there a master password anymore? Summary: If I do not want my password stored on disk (neither encrypted nor text) and I do not want to enter the usernames etc. again and again I (think) I can´t simplify my work with mozilla...
Again, encryption should alleviate your fears. Let me tell you what the status of encryption is, and why you haven't needed a master password for the last few weeks. Previously we didn't have strong encryption -- we simply XOR-ed the master password with the data. A determined hacker could have cracked that and we knew it. Our intention all along was to integrate with a true encryption mechanism. We have such a mechanism in our cartman (a.k.a Personal Security Manager or PSM) module which we are now integrating with. About two weeks ago I did all the restructuring to interface to PSM and therefore removed all the master-password management from my side of the interface; PSM will manage all that. But PSM is not ready for prime-time yet and so temporarily does a dummy encryption which doesn't involve any master password. That should change any day now.
perhaps those (major) impacts should be reported somewhere, component owners should post some warnings performing grave changes, I also don´t know why the flash plugin does not work anymore and how to install java for mozilla (if possible) after having seen that netscape beta came with jre13... I regulary visit the status update page and I take a nightly build (almost) every day, do I miss a news source? To change this but from useless to almost useless, what about adding a checkbox [ ] never prompt me again (entering my master password in this session), currently the user is prompted only once, but leaving my workspace without closing mozilla is usual, if I forget to lock the workstation a bad person could sell/buy things on websites only secured with a onetime login (opening "view stored passwords manager" - which could be secured with master password too)... don´t think of me having fear of everything, but world becomes mobile and I´m working with notebooks for years now and I think it´s important to be cautious
Your caution is certainly well founded. Here are answers to some of your questions. I did post this change when it occured. It was sent out to the seamonkey mailing list which is also mirrored in a newsgroup. There is a timeout on the master password. I had originally implemented a fixed timeout of 30 minutes when this was under control of my module. Now that the master password is handled by PSM, we use their facilities. They have a timeout as well and the amount of time is even changeable by the user. I had a logout feature allowing you lock your database without having to exit the browser. I've been told that PSM provides that as well.
thx having so much endurance, hope PSM will satisfy everyones needs...
Product: Core → Toolkit
QA Contact: bugzilla → form.manager
You need to log in before you can comment on or make changes to this bug.