Closed Bug 536140 Opened 13 years ago Closed 9 years ago

Multiple Master Password Prompts if multiple Addons use the Software Security Device

Categories

(Core :: Security: PSM, defect)

Product:
Core
Component:
Security: PSM
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

()

Status:
RESOLVED DUPLICATE of bug 177175

People

(Reporter: benjamin-schwarz, Unassigned)

Details

(Whiteboard: [psm-roadblock]) 

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.2b5) Gecko/20091204 Firefox/3.6b5

If there are one or more addons installed, which use the master password to protect login data, this triggers multiple master password prompts on startup.

For me these extensions are: Read It Later, Secure Login, Test Pilot(?), Weave.
But it also occured with different extensions installed.

Reproducible: Always

Steps to Reproduce:
1. Install two or more addons which use the Software Security Device
2. Close Firefox and start it again
Actual Results:  
Multipe Master Password Prompt popups appear on startup.

Expected Results:  
Only one Master Password Prompt should appear.

The first release where i recognized this bug was FF v3.5 on WinXP/Vista/7.
This is true in Thunderbird 3.0 too.
S.O.: Linux OpenSuSE 11.2
Installed addons: Lightning 1.0b1, Google Calendar Provider 0.6b1
I get 4 master password prompts everytime I start firefox.  I have the gmail manager 0.6 add-on installed and a number of other add-ons as well (google gears, toolbar, etc..)  It's somewhat annoying.  

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2) Gecko/20100115 Firefox/3.6 GTB6 (.NET CLR 3.5.30729)
I observe the same behavior here for all FF versions I used. I always start up FF with some open tabs that are reloaded automatically. If three of these tabs contain fields which are filled via saved passwords I get three times the master password popup if I am not fast enough to enter it immediatelly :-(

I would expect to get one master password request popup for all tabs which need the master password and not for each tab a seperate one.
I can confirm this behavior for Thunderbird 3.0.3 (exact version see below).

I get 3 master password prompts every time I start Thunderbird. But just using the plugins "Enigmail" and "Lightning". 

Mozilla/5.0 (Windows; U; Windows NT 6.1; de; rv:1.9.1.8) Gecko/20100227 Lightning/1.0b1 Thunderbird/3.0.3
I can confirm this behavior for Thunderbird 3.0.4, with Lightning 1.0b1 as the only addon, on Windows XP SP3 (full version string: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.1.9) Gecko/20100317 Lightning/1.0b1 Thunderbird/3.0.4)

I receive 9 master password prompts at startup. 1 for the email account, 5 for  CalDAV connections to a Zimbra server and 3 for CalDAV connections to Google Calendar. This issues seems to have something to do with how Lightning 1.0b1 communicates with the Software Security Device.
Assignee: nobody → kaie
Component: General → Security: PSM
Product: Firefox → Core
QA Contact: general → psm
Confirmed. I have multiple logged in tabs and windows which may also be a trigger, but certainly I have addons mentioned such as readitlater and weave.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Confirmed (Ubuntu 10.04, Firefox 3.6.3), three password prompts.  I suppose this is due to multiple tabs needing login credentials, and probably the Xmarks plugin.
Confirmed - TB 3.0.4 with lightning 1.0b1 + Provider for Google Calendar 0.6b1
FF 3.6.4 - multiple tabs that asked for passwords makes FF displays master password prompt multiple times.
I believe this is the same core issue as bug 177175.

Unless you disagree, we should mark this as a duplicate of bug 177175.
Assignee: kaie → nobody
Whiteboard: [psm-roadblock]
I disagree. bug 177175 is about timing of the access from a component. This bug is about startup behavior of master password in general.
I think the root cause is the same: more than one thing needs the password decoded and each results in a new dialog instead of attaching a listener to the existing one.
The process of each of them seems different to me, however if the same code is the trigger then the root cause could be considered the same. As the steps to reproduce are so different then unless this can be confirmed to be the same code triggering then I do not think they can be classed as the same - for the developers to decide. Apart from anything these are clearly two different test cases.

I do wish this bug were tacked on as a security risk, sitting here typing the master password in 10 times when I start FF creates a much higher risk of people nearby observing. It takes away the ease of typing it in at a safe moment.

Perhaps a solution would be to request the master password (and wait) before launching any windows or plugin processes
Please try the following as a workaround (which I agree is still ugly):

- enter the master password into the topmost prompt
- for each of the remaining prompts, it may be sufficient to simply press
  enter (without entering the password)

This works for me, if I get more than one prompt at startup of thunderbird.
I tried to implement a solution, could you please test the patch at bug 177175 attachment 454051 [details] [diff] [review] and give feedback?
In addition, such behavour is also confusing, because the prompt windows are position one over another and once entered password in one, it shows next prompt windows as if you entered a wrong password. In fact, it's pretty much impossible to tell if the password was entered correctly or not...

The bug still present on FF 3.6.8
Extremely annoying. I have close to 10 password prompts whenever I start TB. #177175 originates in 2002! Hope that a working patch makes its way into the core soon. For the time being I have switched off my master password in TB.
I think, the description should be changed, because it's more common root problem. As someone mentioned (and has it happens to me), it shows multiple prompts not only with addons but also with multiple pages with saved passwords open. And worst thing is, that prompts are shown one atop another, new ones appearing at the middle of inputting password. Show, part of a password ends up in one prompt and part in another. It is worse, if I use both Firefox and Thunderbird and start them up at the same time. Then, it's impossible to understand at first, from which program the prompt is from (at leas for me prompts appear sometimes on top of another programs window, if I have switch to another program.
I open up Firefox with 2 Tabs that require passwords. What really is anoying: When I start to type the password the next 'passowrd required' Dialog pops up and steals the focus. Thus it's nearly impossible to type the password correct in the first time. 

When I typed in one time the password correctly and cancel the other dialogs, I can reload the tabs and authentification works properly.
This is the most annoying behavior in firefox I know. I installed SessionManager addon, and not even bother to close firefox regular and just kill it every time. This way I get the crashed session dialog that asks only once for a password and restore then.

Having multiple master password dialogs even cause deadlocks in firefox as they seems to get exclusive keyboard access and not all the time right. Wenn they open like 9 master password dialogs, i often can't enter the password in any of them, or all of them do not close on ok. Not even the last one popped up. Cancel wont work, but closing the dialog does. This causes firefox to wait on the result forever, leading in a deadlock situation in the rendering threads.
Why this bug report status is still "new"?
The bug has been fixed in FF4 for months already...
Has anyone of you tried Firefox 4 beta and can report whether this bug is fixed or still present? Thanks

(related: bug 177175)
It works fine. In FF4 now MP prompt shows only once. If MP prompt is already opened and another window/tab needed MP, it will do nothing, however once user entered correct MP it will use it in the second window/tab. So on startup only one MP prompt shows. This seems to only affect web pages, view passwords for instance will show independent MP prompt if needed. And entering correct MP in that prompt will not close/accept MP prompt opened by a webpage - now that should be fixed.
If you still see this bug with Firefox 4, please give us a list of your addons, so we can reproduce the problem.
No addons.
Here is how to reproduce it:
Open Firefox options window, leave it open. Open a webpage with stored login information and wait for MP prompt. Leave the MP prompt opened and switch to options window, click on security -> saved passwords it will open second MP prompt.

Now, if you do it in reverse: options -> security -> saved passwords, leave MP prompt opened and visit a website with stored login, it will NOT popup second MP prompt and once password accepted it will open the saved password window AND fill up the login form.
I see that some recent posts are claiming this is resolved in FF 4, but I just want to put a reminder out there that this is not resolved in Thunderbird yet.  I have the Enigmail and Lightning addons.

Mozilla/5.0 (Windows; U; Windows NT 6.1; en-US; rv:1.9.2.17) Gecko/20110414 Lightning/1.0b2 Thunderbird/3.1.10
Enigmail version 1.1.2 (20100629-1412)
This same problem happens for me in Firefox 7 and each version since the original report. This has definitely not been fixed.

I regularly get up to 3 password prompts at Firefox startup caused by probably two addons and perhaps a tab with a log in page (depending on session restored).

Probable addons causing this:

Session Manager
Read It Later
I have not had this problem in quite a while, certainly some things were fixed. I still use Session Manager - but interestingly I used to use Read It Later but no longer do, instead using Instapaper, so that is quite possible. Perhaps try to disable that plugin and respond if anything changed..
I'd like to add that Thunderbird 11 still experiences this issue.  It reared it's head once I'd installed the Exchange 2010 calendar provider for lightning (being the first extension I've installed and saved a password on).
One way to replicate this bug is to start thunderbird, then leave leave the master password prompt hanging for your input, then come back in a few minutes and you will keep getting re-prompted (depending on how long you left it) to enter the master password.  This works with addons disabled.
Seriously - We're at Firefox v12, three years since this bug was created, and I still get five "Enter Master Password" prompts when I launch firefox.exe?

Seriously - think of how bad it looks from a security perspective...  Five "Enter Master Password" windows pop up at one time!  To an average user, this looks scary.

Can someone please fix this?
The issue is still with Firefox 13.  Can this not be also treated as a performance issue - as it impacts the users ability to use Firefox?  Dietrich can you assist?
I've no experience with this code.

Cc'ing Dolske since IIRC he was involved in work to make some other password prompts not re-prompt, way back in the day.
This is still buggy in Firefox 17.
1) Website needs credentials -> Masterpassword prompt
2) wait a little, addon needs Masterpassword -> second Masterpassword prompt

3) Enter password in second prompt and cancel first -> Website login fails, although Masterpassword was provided. 
If we cannot prevent multiple masterpassword prompts then maybe we can improve a little by promptless testing whether loginmanager access "works" even when the user canceled "my" prompt? Maybe this is a stupid idea...
I'm seeing this on Fedora linux.  It's particularly annoying under Gnome because the second password dialog appears right on top of the first one, attached to the same window frame.
Confirmed for Thunderbird 17.0.2 and lightning with google calendar provider.

Very annoying.
Confirmed for Thunderbird 17.0.3 and lightning 1.9 with google calendar provider 0.18.
Still in firefox 19 on Fedora 18.
Confirmed for Thunderbird 17.0.5 with Lightning 1.9.1 under Win 7 64bit.

Meanwhile I've deinstalled Google Calendar provider and use CalDav, like proposed in https://bugzilla.mozilla.org/show_bug.cgi?id=682474, which resolves the issue for me. Therefore no updates by me anymore.
Confirmed for Thunderbird 17.0.5 with Lightning 1.9.1 under Win 7 64bit

Installed TB add-on StartupMaster and now it prompts a single time for the master password.
Confirmed double master pwd prompt when using Thunderbird 24.0 and Lightning 2.6 on Windows 7 64-bit.

Workaround is to use StartupMaster - although I'm a bit concerned about the addon warning: this can be easily circumvented using safe mode
Confirmed double and double and double master password prompt Thunderbird 24.1.0.
OS: Windows 7 → All
I am getting multiple password prompts everytime I start firefox 26. 

Its most annoying because they popup and steal the focus (Bad, popups should never steal focus) once focus is stolen you don't know what you typed into which password box so you have to close all except the last and restart entering the password. 

Also as each popup loads in exactly the same position as the last one moving them before typing fails to give a visual clue. with several popups appearing.

This is most annoying.

Starting with a blank page is not an option.

How about the api for the master password uses a mutex if its called more than once. Then when submitted the result can be returned to all callees. 

Better still when the dialog pops up make it lock all mutexes so no other firefox process can run till its complete. That may improve security.
Confirmed for Firefox v26 (win7 x64).

*Settings*
I have installed serveral security addons (besides Master Password+):
a) Quick Passwords
b) Secure Password Generator
c) Saved Password Editor
d) NoScript

*Reproduction*
I have enabled master password prompt before Firefox windows to show up. Sometimes it is possible to enter Firefox by cancelling master password prompt at startup, and wait a certain time to try again successfully.
I think this is a dup of bug #177175 ?
Yeah, it is.
Status: NEW → RESOLVED
Closed: 9 years ago
Resolution: --- → DUPLICATE
Confirmer this behavior (ask many passwords according amount of installed plugins) in 24.4.0 on Ubuntu Linux 13.10.
A bit of extra info:
On Win 8.1-64 Pro, FF does ask for only one master password (now 34.0.5) and always did so for me, with several addons and many tabs reopened at start.
On the other hand, Thunderbird (and this is how this thread started, hasn't it?) is indeed very annoyingly systematically requesting multiple master password encoding (about a dozen, in my case) for the last bunch of versions (maybe a year or more).
It does sport addons (Lightning, Google cal sync, Google contacts sync, etc), AND it opens as well several (5) email accounts.
The very purpose of the *master password* is thus defeated.
Any progress on this front?
Happens to me to each time I launch FF. Very annoying!

Seems like each tab asks for this password separately instead of checking if dialog is already opened. I start typing the password and it opens and focuses next dialog which means I type half password in one and one in another dialog... So amateur I can not even believe it is happening!

This shouldn't even be a classic dialog but a simple field somewhere at the bottom (like find-in-page field), so I am not obligated to enter it if I don't want to! FF is perfectly operable even without entering this password...

Specs: 
 Win 7 x64 SP1, FF 34.0.5
 Os X Mavericks, FF 34.0.5
Confirmed with Thunderbird: 38.8.0
with Lightning: 4.0.5.2
and Exchange EWS Provider: 3.7.0
on Linux: Ubuntu 14.04.4 LTS

With Lightning and EWS plugins enabled I get 3 prompts for the master password. After disabling Lightning I get 1 as expected.
(In reply to wk.a564 from comment #49)
> Confirmed with Thunderbird: 38.8.0
> ...

Sorry, wasn't awre that this one is closed as dup.
You need to log in before you can comment on or make changes to this bug.