Closed Bug 475943 Opened 17 years ago Closed 17 years ago

'Saved passwords' autofills wrong password when multiple accounts exist with similar usernames

Categories

(Toolkit :: Password Manager, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: bugzilla, Unassigned)

References

()

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1b2) Gecko/20081201 Firefox/3.1b2 This problem is exhibited when using Firefox to fill a login prompt with a saved password. If multiple username/passwords combinations have been saved that are identical except for case differences in the username, it is possible for the wrong password to be autofilled. Reproducible: Always Steps to Reproduce: 1. Go to an site with a long prompt that has case-sensitive usernames. 2. Sign in first using one username and password. The username used should have both upper- and lower-case characters. Submit the form and acknowledge that Firefox should save the password. 3. Sign in second time using another username and password, the username should be the same as used in step #2, except it should be all lower-case. Use a different password. Submit the form and acknowledge that Firefox should save the password. 4. Return to the login prompt and type the all lower-case username from step #3. Press the tab key to move the cursor to the password field, trigger Firefox to fill the password. 5. Note that the lower-case username has been replaced with the multi-case username from step #1, and the password that is auto-filled is the password used in step #1. The correct behavior would be for the password from step #2 to have been filled, since that matches the username that was typed. Actual Results: The username entered was replaced with another stored username, identical except for the case. The password that is auto-filled is the one from the wrong username, not the username typed. Expected Results: The correct behavior would be for the password from step #2 to have been filled, since that matches the username that was typed. The usernames and passwords were originally saved using a previous 3.0 version of Firefox, which handles the similar usernames when autofilling passwords without any problem. The issue was first noticed in beta 3.1b2.
Component: Location Bar and Autocomplete → Password Manager
Product: Firefox → Toolkit
QA Contact: location.bar → password.manager
I've confirmed this issue still exists in Firefox 3.1b3
This is probably partially a result of the fix for bug 447788. We're kind of screwed no matter which way we do things, but I think the current behavior is better. Having multiple accounts (with different passwords) that differ only in case is already full of fail for a multitude of reasons, so I'm not really inclined to want to support that use-case.
Blocks: 447788
Status: UNCONFIRMED → RESOLVED
Closed: 17 years ago
Resolution: --- → WONTFIX
See the discussion for 499649. WONTFIX is really an unacceptable resolution for this issue. Users clearly HAVE multiple accounts that differ in case, and this fix has made the password management system totally unusable for them. Bug 447788 was a very minor inconvenience with a simple workaround, while the 'fixed' version makes it totally impossible to use the password manager for many users on some sites.
I agree with Craig's comment #3. Under SeaMonkey 1.1.18, I had two similar usernames (one lower case, the other proper; otherwise identical) for a particular site. This worked fine, and I was able to select whichever one I wanted. Under: Mozilla/5.0 (OS/2; U; Warp 4.5; en-US; rv:1.9.1.11) Gecko/20100707 Lightning/1.0b2 Mnenhy/0.8.3 SeaMonkey/2.0.6 Even if I strike over the uppercase first letter, as soon as I tab to the next field (password), the username switches back to proper case, and the login fails. To work around, I had to actually delete one of the saved usernames. Under normal circumstances, this isn't likely to happen. In my case, I didn't even realize when I set up the second account that I already had the first login, and simply used a "common" (to me) username. Previously, this was not an issue. Now, it is a major inconvenience. Please re-open, and mark cross-platform (I am on OS/2 - eCS, actually).
You need to log in before you can comment on or make changes to this bug.