Currently, the only way to reset the master password (and, therefore, clear all passwords to start anew) is to go to chrome://pippki/content/resetpassword.xul. There is no UI linking to this page that I can find. I think a simple "Reset Master Password" button added to the left side of the "Change Master Password" dialog would work well. I will copy over the pippki version to toolkit as resetmp to be with its neighbors changemp and removemp.
This appears to have been WONTFIXed in bug 270331, although I'm not sure I understand the rationale.
Wouldn't the rationale be that people who have a Master Password set are concerned about people who can access their machine, and therefore those people wouldn't want others to have the ability to wipe their passwords?
I don't think the intention of a master password is to prevent data deletion. At best that would be a hack, since they could just delete signons2.txt and key3.db from the profile manually. However, I might buy an argument that bug 385951 blocks fixing this bug, as a 3rd party could be tempted to click an easy-to-find "Reset MP" button to avoid the nagging master password prompt.
If the problem is that people are concerned with what an external link or 3rd party app might do unintentionally, what is wrong with throwing up a dialog box saying "You are about to remove your master password, including all information protected by it - passwords, certificates, etc.". This isn't something a user will do often or lightly, so there is little or no probability of getting into a dialog-box click fatigue. However, making this so that you have to be a computer expert just because you forgot a password (although not mutually exclusive, that is a mighty small subset of the total) is downright counter intuitive, and certainly not practical.
wouldn't block on this; blocking‑thunderbird3-
Flags: blocking-thunderbird3? → blocking-thunderbird3-
Isn't this sufficiently done with the checkbox in the preferences pane? Simply uncheck the "Use a master password" checkbox to reset your master password, and then it prompts for your current password before it actually resets it.
That doesn't work as a practical matter because this is an issue where the current password has been forgotten/unavailable - if you knew the password, you wouldn't need to clear it, you would just change it (or leave it removed).
Component: Password Manager → Security: PSM
Product: Toolkit → Core
I think this belongs in the password manager. Note that we're currently advising users in this situation to visit a chrome:// url to reset their password: https://support.mozilla.org/en-US/kb/reset-your-master-password-if-you-forgot-it
Component: Security: PSM → Password Manager
Product: Core → Toolkit
The dialog being referred to isn't part of password manager though as MP is about more than just password manager encryption. https://dxr.mozilla.org/mozilla-central/search?q=setPassword.meter.label
I guess what I meant was it seems like we should have some sort of (more discoverable) UI for the case where the user forgets their master password, rather than telling people to manually visit a chrome:// url.
(In reply to David Keeler [:keeler] (use needinfo?) from comment #10) > I guess what I meant was it seems like we should have some sort of (more > discoverable) UI for the case where the user forgets their master password, > rather than telling people to manually visit a chrome:// url. ... and that that UI should probably be near about:preferences -> Security -> Logins -> "Use a master password", since I imagine that's where most users encounter that situation.
4 months ago
Priority: -- → P4
You need to log in before you can comment on or make changes to this bug.