Closed Bug 534056 Opened 15 years ago Closed 14 years ago

Master Password asked by password manager regardless of how user intentions are

Categories

(Toolkit :: Password Manager, defect)

Product:
Toolkit
Component:
Password Manager
Platform:
x86
All
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 400680

People

(Reporter: chrizio, Unassigned)

References

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.0; de; rv:1.9.0.15) Gecko/2009101601 Firefox/3.0.15 (.NET CLR 3.5.30729)

OS - irrelevant
Affected Version 3.0.x, 3.x. No idea about older versions

Reproducible: Always

Steps to Reproduce:
1. Password Manager enabled
2. Master Password created
3. Visiting some http url. The content - quite normal. But the side includes 
   also the user-name and password controls/fields from some sign-on service
   supported by this side
4. The user is not interested in using the sign-on service offered by the side.
   He/She only wants to view the content. 
Actual Results:  
Firefox asks for master password as soon as the url opens. Every time the user navigates back to this url by pushing the back button. Or if the page shows search results with shortcuts to next pages of search results - every time user navigates to new search results page. Or if it is a forum web - on entering an discussion topic and going back to (sub-)forum overview.

Expected Results:  
Password manager should ask for master password not until the user places the insertion cursor in the account name control/field or in the password control/field.

it's really annoying if you don't want to enter your master-pass (for example you demonstrate some topics on the forum to 3rd person), on each redirect, on each new page of the same site, even if you've clicked "cancel" when Fx asked to fill in master-pass - you will get a new prompt. And that really annoys.
OS: Windows Vista → All
I confirm this bug exists; twitter.com and 4shared.com are two top examples of the many sites where this happens.

This happens because every page on those sites has a quick login form. Obviously this may be handy for some, but for others it is a rarely used feature given that such sites have most of their content publicly available and logging in has the sole purpose of updating one's profile and own content.

The annoyance of this bug is further increased by the master password dialog being modal (i.e., wont allow the browser to be used while an answer isn't given to the dialog).

Note this bug only manifests itself if the user haven't used the Password Manager previously during the session or if he has just cleared private data and forgot to see a quick thing before closing the browser.

One workaround would be to simply enter the master password to make Password Manager happy, but this would unnecessarily decrease security.

Some suggestions for a fix:
1) As in comment 1, launch the Manager only when focus is given to the sites' password field.
2) Add a "Not now" button to master password dialog, that would disable the feature for that site temporarily. The dialog should only be displayed again if the user gives focus to a password field as above, or if he navigates away from the site and then back to it.
3) Transform the master password dialog into a non-modal one or even into a top notification bar.

Best regards, petruc.
Some errata to comment 1:

In suggestion #1, where it reads "comment 1", please consider chrizio's "bug description" instead.

In suggestion #2, there is no need for a new "Not now" button. The described behavior of such new button should be associated to the "Cancel" button itself. And that "Cancel" button could even be renamed "Not now" in order to improve usability.

Still in suggestion #2, if site exiting detection is to be implemented, please consider only the server main domain, not complete sub-domains as Password Manager does. Many sites use username.example.com URL structure and we don't want navigating from an user page to another one inside such sites to pop up master password dialog repeatedly. The dialog should appear only if the user goes to a completely different site and then comes back, or if he focus a password field even if he didn't exited the site.

All the best, petruc.
Component: Security → Password Manager
Product: Firefox → Toolkit
QA Contact: firefox → password.manager
> Some suggestions for a fix:

or 4) don't try to fill in passwords unless the user shows an explicit intention to do so (various enhancement requests).

One way to do this is to set the pref signon.autofillForms to false, but then you run into bug 400680. The new Account Manager UI might resolve this, too, but I don't know if that's going to make Firefox 4 or not.
http://hacks.mozilla.org/2010/04/account-manager-coming-to-firefox/
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.