Closed Bug 580432 Opened 14 years ago Closed 14 years ago

Passwords can be read in just 4 clicks

Categories

(Firefox :: Settings UI, defect)

Product:
Firefox
Component:
Settings UI
Version:
3.6 Branch
Type:
defect
Priority:
Not set
Severity:
major

Tracking

()

Status:
RESOLVED DUPLICATE of bug 259996

People

(Reporter: mastertrick, Unassigned)

Details

User-Agent: Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 6.1; es-ES; rv:1.9.2.6) Gecko/20100625 Firefox/3.6.6 Using firefox there is the problem that only shows saved passwords clicking on show passwords without asking for any special permission or password, which does not prevent any application, extension or trojan to take advantage of this vulnerability to steal the password to the configuration firefox default which is the left many firefox users to leave off using the master password feature. Its jurisdiction is Internet Explorer by default encrypted passwords and access to them is necessary to use external programs, I describe this to suggest that the passwords you save firefox should be encrypted. Reproducible: Always Steps to Reproduce: 1.Tools 2.Options 3.Security 4.Saved Password 5.Show password 6. ---> Here should be a extra "firefox password " to prevent password theft caused by any application or extension Expected Results: Master password enabled by default , UAC alert/ advice or something similar requiring typing a password
Severity: normal → critical
Version: unspecified → 3.6 Branch
Severity: critical → major
This is a conscious design decision: the theory is that hiding this ability will cause users to assume their passwords are safe when instead unless a "master password" is used they are trivially accessible to anyone with access to the file. Personally I would prefer an approach that more directly educated users on the need for a master password.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → DUPLICATE
Group: core-security
Please read https://bugzilla.mozilla.org/show_bug.cgi?id=259996#c54 for analysis of this 'conscious design decision' as it fails to address the fuzzier world that less binary-thinking users inhabit. It is possible to have Master Password used merely to protect this list, for the many reasons exampled on that 6 year old bug listing and it's 17 duplicates. To highlight the 'consciousness' behind that decision: Daniel has written: > Let me see if I'm understanding this correctly: > - you have passwords worth stealing > - your machine is physically insecure > - in a location with people who might want those passwords Answers by most normal Firefox users: Yes, of course we have passwords worth stealing. Facebook/email/banking Yes, our machines are available for occasional use by friends/colleagues if that's what YOU call insecure (perhaps the user rather than the machine is insecure!) Yes, we'd love each other's s facebook password... for a laugh. Plus we get to see all other passwords at the same time. Must we use the pain in the **** Master Password universally rather than for this one security purpose?
You need to log in before you can comment on or make changes to this bug.