Closed Bug 428709 Opened 17 years ago Closed 17 years ago

Same password used for multiple sites on same domain

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 263387

People

(Reporter: threexk, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.8.1.13) Gecko/20080311 Firefox/2.0.0.13 If passwords are remembered for a single username on multiple sites on the same domain (e.g., example.com/site1 and example.com/site2) Password Manager will fill in the same password for all sites. The problem is Firefox only stores passwords based on the domain name. This is somewhat of a security issue: A user of site example.com\site1 could too easily submit their password to a malicious site example.com\site2. The desired behavior would be to associate full URLs with passwords by default. I believe it was not implemented like this because URLs are somewhat dynamic and the same password form might have a different URL between visits. However, it seems like it would be a more secure approach for Password Manager to interpret the URL in the strictest fashion unless the user defines a more flexible context (e.g. through pattern specifiers such as example.com/site1/*, example.com/*). Reproducible: Always
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → DUPLICATE
Product: Firefox → Toolkit
You need to log in before you can comment on or make changes to this bug.