Passwords can be read in just 4 clicks

RESOLVED DUPLICATE of bug 259996

Status

()

Firefox
Preferences
--
major
RESOLVED DUPLICATE of bug 259996
8 years ago
8 years ago

People

(Reporter: mastertrick, Unassigned)

Tracking

3.6 Branch
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6

Using firefox there is the problem that only shows saved passwords clicking on show passwords without asking for any special permission or password, which does not prevent any application, extension or trojan to take advantage of this vulnerability to steal the password to the configuration firefox default which is the left many firefox users to leave off using the master password feature.

Its jurisdiction is Internet Explorer by default encrypted passwords and access to them is necessary to use external programs, I describe this to suggest that the passwords you save firefox should be encrypted.

Reproducible: Always

Steps to Reproduce:
1.Tools
2.Options
3.Security
4.Saved Password
5.Show password
6. ---> Here should be a extra "firefox password " to prevent password theft caused by any application or extension


Expected Results:  
Master password enabled by default , UAC alert/ advice or something similar requiring typing a password
(Reporter)

Updated

8 years ago
Severity: normal → critical
Version: unspecified → 3.6 Branch
(Reporter)

Updated

8 years ago
Severity: critical → major
This is a conscious design decision: the theory is that hiding this ability will cause users to assume their passwords are safe when instead unless a "master password" is used they are trivially accessible to anyone with access to the file. Personally I would prefer an approach that more directly educated users on the need for a master password.
Status: UNCONFIRMED → RESOLVED
Last Resolved: 8 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 259996
Group: core-security

Comment 2

8 years ago
Please read https://bugzilla.mozilla.org/show_bug.cgi?id=259996#c54 for analysis of this 'conscious design decision' as it fails to address the fuzzier world that less binary-thinking users inhabit.

It is possible to have Master Password used merely to protect this list, for the many reasons exampled on that 6 year old bug listing and it's 17 duplicates.

To highlight the 'consciousness' behind that decision: Daniel has written:
> Let me see if I'm understanding this correctly:
> - you have passwords worth stealing
> - your machine is physically insecure
> - in a location with people who might want those passwords

Answers by most normal Firefox users:
Yes, of course we have passwords worth stealing.  Facebook/email/banking
Yes, our machines are available for occasional use by friends/colleagues if that's what YOU call insecure (perhaps the user rather than the machine is insecure!)
Yes, we'd love each other's s facebook password... for a laugh.  Plus we get to see all other passwords at the same time.

Must we use the pain in the **** Master Password universally rather than for this one security purpose?
You need to log in before you can comment on or make changes to this bug.