Password fill algorithm flawed...




Password Manager
9 years ago
9 years ago


(Reporter: Mike Y, Unassigned)


Firefox Tracking Flags

(Not tracked)




9 years ago
User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv: Gecko/2009011912 Firefox/3.0.6
Build Identifier: Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10.4; en-US; rv: Gecko/2009011912 Firefox/3.0.6

The algorithm for the password filler seems to be:

1) Password field is the first input of type 'password' (that part is fine).
2) Username is the text field one above the 'password' field (this is flawed).

At first glance 2) seems like a reasonable algorithmic step, as of course most login screens will function like this... HOWEVER in forms where for example where a user is editing their profile, a password field is required, but a username is not (as that is already known and they shouldn't really be allowed to edit their username!), this populates the 'username' in to the wrong field (as the username field is omitted).

The correct algorithm might be:

1) Does the form have a field of type 'password'?  If not do NOT fill, ELSE:
2) If their are two password fields then assume this is an update type of form and only populate the first occurrence of the password (note that the second occurrence is assumed to be a confirmation password).
3) If there is only one password field, then count the number of other visible fields in the form.  If it's 2 or 3 then assume the field above the password field is the username... ELSE
4) There are 4 or more fields, so make a guess at the username field based on a sensible guess:

In order of preference:
'username' 'user name' 'user' 'name' 'email' etc...

This algorithm would work better... it needs work as I've just knocked that together in a couple of minutes but it's much better than the current algorithm.

Reproducible: Always


9 years ago
Component: General → Password Manager
Product: Firefox → Toolkit
QA Contact: general → password.manager
Very simple to set up a test case for this. Form field names can be drastically different.

This becomes rather critically important to the user when credit card security information is entered into a form input type=password! Next time they go to log into a site their credit card information pops up in the username field.
Last Resolved: 9 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 499223
You need to log in before you can comment on or make changes to this bug.