Closed Bug 455506 Opened 16 years ago Closed 16 years ago

Stored password shouldn't be erased if authentication fails

Categories

(Toolkit :: Password Manager, defect)

1.8 Branch
defect
Not set
normal

Tracking

()

RESOLVED DUPLICATE of bug 379997

People

(Reporter: L.Wood, Unassigned)

Details

I have a bunch of stored logins/passwords in my browser that have been there for over five years. Recently authentication using one of those passwords failed. The password was then promptly deleted from the browser. It was as if it was never there. It's not good to assume that 'hey, no longer of use because I got a 401, just delete it'. Backend authentication servers can fail; a password that is rejected at this time may be accepted later when the backend auth comes back up, for example. Deleting the password and login username should be entirely under the control of the user. Deletion shouldn't happen just because the user was unlucky enough to log in while something was down. I'd expect a 'sorry, this login/password combination appears to be invalid. Delete invalid password?' dialog to be presented to the user before action is taken. And then, I'd expect only the password to be deleted. I'm now wondering what my username for that site was. (This is, I think, an app security management issue, rather than an autocomplete issue. Setting to security component.)
Are you sure the password is gone, as opposed to simply not replaying on the page anymore? In order to prevent leaking passwords to malicious pages we only prefill passwords when we find matching information in the password form, so if the site changed its possible that we don't recognize it as the same form. In that case, however, the password would still be stored and if you forgot it you can look it up in options, type it into the rejiggered page, and it'll learn the new form. As far as I know we do not look for failures and delete passwords. To see if the password is still stored, open the Options/Preferences dialog, click on the security tab, and then the "Show Passwords" button. If you have set a master password you'll be prompted to enter it.
Component: Security → Password Manager
Product: Firefox → Toolkit
QA Contact: firefox → password.manager
Version: 2.0 Branch → 1.8 Branch
It's gone. I checked "show passwords" (which should be called "show logins") before submitting this. What would be the point of storing it but not using it? Sequence was: - I go to page - form is autofilled with login/password - I submit form - get 401 not authorized - go back to page, form is not autofilled. - check "show passwords" - file bug.
What version of Firefox was this problem with?
Firefox 2.0.0.16.
This was fixed in FF3.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
(In reply to comment #2) > What would be the point of storing it but not using it? It'd be a bug, but a different kind of bug than deleting it altogether.
You need to log in before you can comment on or make changes to this bug.