Last Comment Bug 589628 - Password manager should support subdomains with the same password
: Password manager should support subdomains with the same password
Status: NEW
:
Product: Toolkit
Classification: Components
Component: Password Manager (show other bugs)
: Trunk
: All All
: -- normal with 8 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
: Matthew N. [:MattN] (PM me if requests are blocking you)
Mentors:
Depends on:
Blocks: 1266655
  Show dependency treegraph
 
Reported: 2010-08-22 16:31 PDT by mlissner@michaeljaylissner.com
Modified: 2016-08-23 11:18 PDT (History)
12 users (show)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Bug 589628 - Broaden search criteria to include subdomains in context menu. (58 bytes, text/x-review-board-request)
2016-08-23 10:49 PDT, Saad Quadri [:saadq]
no flags Details | Review

Description mlissner@michaeljaylissner.com 2010-08-22 16:31:40 PDT
User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9pre) Gecko/20100814 Ubuntu/10.04 (lucid) Firefox/3.5.2
Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.9.2.9pre) Gecko/20100814 Ubuntu/10.04 (lucid) Firefox/3.5.2

I run into this problem constantly, and it's quite irritating. What happens is that I save my password for a site at www.example.com, which works well. Then, I get an email from the site that says, "Log into our site at https://login.example.com." 

So, I click the link, and suddenly, I lack a password for the site. Next, I wonder, did I save the password for this site properly, or not? Better check if it's in the password manager under a different domain. So, I open it up by clicking the favicon button and then the "More Information" button, and then the "View Saved Passwords" button. Happily, this box is already filled in with the domain name and subdomain, so I delete the subdomain in the filter box, and then click the "show passwords" button, confirm that I want to do so, and FINALLY, I have the password I wanted.

This can be completely avoided, if the auto-complete box for the site had a better implementation. I have a bunch of solutions for this:
1. Maybe, I should be able to save password for all domains, such that *.example.com is in the password manager. This could be done either by default, through a button on the "Remember password" prompt, or via manual editing in the password manager window.
2. Another option could be to have the password auto-complete on subdomains other than the one that it was originally saved for. So, if I save the password at www.example.com, and then go to login.example.com, the password auto-completes, anyway. Using something to mark the box with the subdomain that was used would be even better. So, maybe the password box is filled with www-******* rather than the usual ********, or is flagged in some similar way.

I'm not alone in this problem, so I'm surprised I'm the first to file this bug. There are already two Q&A's about this on Superuser.com:
http://superuser.com/questions/49543/default-username-and-password-for-example-com
http://superuser.com/questions/68053/firefox-save-username-password-for-all-sub-domains

Reproducible: Always
Comment 1 colin 2011-01-01 13:15:32 PST
I would like it to support the editing of the domain used in the password store to where you could change where the password is used, like for example changing my http://username.deviantart.com/ to http://*.deviantart.com/ and have the browser recognized it no matter where I was.

It is annoying on many sites of that nature in which you know you have a login for the site, but because it's so specific to a subdomain, you have to go through a couple of extra steps to get logged in, and the site don't return you to the page you were on, so you have to get back to the page you were on, then force a refresh so the browser gets the page logged in.
Comment 2 Martin Dawson 2011-10-31 11:25:37 PDT
I would like to see this fixed also. A large number of blog- and gallery-type sites use the "username.sitename.com" format. Having Firefox ignore the subdomain should at least be an option.

Steps to reproduce:
1. Erase all passwords saved for *.deviantart.com.
2. Go to www.deviantart.com and log in. Save the password when prompted.
3. Log out
4. Return to the Deviantart homepage.
5. Click Log On. The saved password does auto-populate. (Do not complete login.)
6. Go to any artist's subdomain site (artistname.deviantart.com).
7. Click Log On. The saved password does not auto-populate.
Comment 3 Sparhawk 2012-01-30 13:32:14 PST
Another example of this is slashdot.org, news.slashdot.org, science.slashdot.org, entertainment.slashdot.org, etc. Quite annoying.
Comment 4 WBT 2012-02-12 13:30:18 PST
This is the opposite of Bug 613166.
Also, subdomains of a higher level domain should use the password for that higher level.  For example, I can log in to bugzilla.mozilla.org with a saved password, but not www.bugzilla.mozilla.org (and I do find it a bit odd that the Bugzilla cookie recognizing my login is not recognized if I'm using the www. subdomain).
Comment 5 Vellmont 2012-04-18 10:42:06 PDT
Assuming different subdomains all use the same username/password combo is a bad idea.  This might be true for a lot of outwardly facing commercial sites like ebay or Slashdot that only has one login.  The problems are going to start for any internal sites with multiple different subdomains and different passwords for each.  

Large organizations commonly have internal systems with differing logins for different systems, many of which are differentiated by subdomain.  You're going to create a much larger problem if you just start assuming that these subdomains all share a common usernames and passwords.

IMO it's far better to be cautious about assuming same username/password and limit it to at most a single FQDN.  If a user loads a site with the username/password filled out incorrectly they're much more likely to be confused and frustrated when they get bad login errors than they would be if the fields are simply blank.
Comment 6 Martin Dawson 2012-04-18 10:49:55 PDT
(In reply to Vellmont from comment #5)
You make a valid point, but perhaps the problem could be better solved with a hierarchical structure. For instance, the password saved for www.wikia.com would apply across all *.wikia.com addresses unless there is a "better match" saved for a specific subsite, like starwars.wikia.com.
Comment 7 Vellmont 2012-04-18 11:01:44 PDT
I think that'd only slightly mitigate the problem, as it assumes you've logged into each subdomain correctly before.  When you login to a new subdomain, you'll still get the potentially misleading username/password filled in.

One idea would be to add a feature where applying the remember authentication data to an entire domain would be user selectable after login, defaulting to not.  i.e. Remember password for all of example.com.  

(It's really hard to know if the average user really would understand what this means though)
Comment 8 colin 2012-04-18 12:31:36 PDT
This would be something more along the lines of an advanced user option, and

A) something that should only be done in the password manager itself, and only if it finds multiple *.example.com entries with the same username and password stored in them. 
B) would also be done in password manger itself offering the option to modify "use this log in information across this whole domain".

Then also, the need to handle the following is needed as well, when the user has several different usernames and passwords, but used across the whole *.example.com structure.
Comment 9 Sparhawk 2012-04-18 17:27:03 PDT
(In reply to Vellmont from comment #5)
I agree that it should not save all *.example.com as default, but perhaps, as colin suggests, it could be intelligent about this if multiple matches are found. Even better would be to automate this on-the-fly. When the user saves the same username/password for another *.example.com url, perhaps a dialogue box could pop up, asking if the details should be extended to all of that second-level domain.

At the very least, it should be possible to manually change the entry in the password manager from www.example.com to *.example.com.
Comment 10 WBT 2012-04-19 07:01:47 PDT
Extra dialogue boxes should be avoided where possible, and it's possible here.
Example: 
User enters information into sub1.maindom.com for the first time. 
Firefox asks (paraphrased here) "Do you want to save the password for this site?" with options "yes," "not now," and "never for this site." 
We could replace the original "yes" with  options "yes, for all of sub1.maindom.com", "yes, for the sub1.maindom.com level only", "yes, for all of maindom.com." [or use "*." instead of "all of "] and put the option that the current "yes" corresponds to in bold. 

Any solution here needs to account for the fact that subdomains can be nested quite deep; e. g. see my Comment 4 about logins at www.bugzilla.mozilla.org being different than bugzilla.mozilla.org.
Comment 11 WBT 2012-04-19 07:04:33 PDT
...and I would add options for each of the domain levels from one-below current to a TLD or maybe even one less than that (e. g. it doesn't make sense to have a login saved for all *.co.uk sites).  

I also echo Sparhawk's idea in Comment 9:
>At the very least, it should be possible to manually change the entry in the >password manager from www.example.com to *.example.com.
Comment 12 WBT 2012-04-19 07:08:33 PDT
...and that the manual changing of the entry is something that cannot be done by a web page, maybe not even add-ons (at least add-ons should not be able to change the base domain).  That's for security, so a hacker can't change your banking/Paypal password to apply to his domain and get your information without your knowledge.

Also, there are third-party password managers available for any super-frustrated people reading this bug who want a fix ASAP.
Comment 13 Sparhawk 2012-04-19 07:44:31 PDT
(In reply to WBT from comment #12)
> Also, there are third-party password managers available for any
> super-frustrated people reading this bug who want a fix ASAP.
Do you mind posting some of these links?
Comment 14 WBT 2012-04-19 10:10:36 PDT
Well, the two that come to mind most readily are Abine (http://abine.com/ - which has a nice bundle of features) and LastPass (https://lastpass.com/).  You can search add-ons for "password manager" or similar terms to find additional choices.
Other people may reply to this comment and add other tools.

I can't vouch for any of these in terms of functionality, security, etc - I use FF's password manager and even disabled the one in Abine.  You should check the details, security, policies, etc. of any password management system before using it, knowing who has access to all your passwords as well as where and how they're stored.
Comment 15 Sparhawk 2012-04-20 23:47:46 PDT
(In reply to WBT from comment #14)
Thanks for that. I actually do use Abine already, but apparently the password management part is "Coming Soon". I've heard of LastPass too, which seems like a decent service, but not for me, as I don't like the idea of all my passwords being kept on a third-party server. I guess the FF bug is not such a massive deal that I'm willing to totally switch, unless there is an add-on that modifies the operation of the FF keyring/keychain.

Thank you for the suggestions anyway.
Comment 16 Chris Karlof [:ckarlof] 2015-01-08 13:29:31 PST
Recipes could help with this.
Comment 17 Sam Hall 2015-08-26 17:01:23 PDT
Just adding to this feature request, I'd similarly like the ability to ignore password manager for an entire domain. Even if it was just by allowing the user to manually edit the list of ignored sites in a similar manner as that which is described in comment 1.
Comment 18 Jonathan Nicol 2016-06-10 15:47:37 PDT
Adding on... I'd especially like to be able to update already-saved passwords for all subdomains of a particular domain. We have single-sign-on at work, and every 90 days when I'm forced to change the password, I have Firefox update popups for a week.

thanks
Jonathan
Comment 19 Matthew N. [:MattN] (PM me if requests are blocking you) 2016-07-14 20:34:47 PDT
(In reply to Jonathan Nicol from comment #18)
> Adding on... I'd especially like to be able to update already-saved
> passwords for all subdomains of a particular domain. We have single-sign-on
> at work, and every 90 days when I'm forced to change the password, I have
> Firefox update popups for a week.

See https://addons.mozilla.org/en-US/firefox/addon/mass-password-reset/
Comment 20 Matthew N. [:MattN] (PM me if requests are blocking you) 2016-07-14 20:36:37 PDT
We'll likely do this with user interaction via autocomplete and the context menu without built-in realms.
Comment 21 Matthew N. [:MattN] (PM me if requests are blocking you) 2016-07-14 20:36:50 PDT
*** Bug 1200472 has been marked as a duplicate of this bug. ***
Comment 22 Saad Quadri [:saadq] 2016-08-23 10:49:48 PDT
Created attachment 8784063 [details]
Bug 589628 - Broaden search criteria to include subdomains in context menu.

Review commit: https://reviewboard.mozilla.org/r/73638/diff/#index_header
See other reviews: https://reviewboard.mozilla.org/r/73638/
Comment 23 Saad Quadri [:saadq] 2016-08-23 11:18:53 PDT
Comment on attachment 8784063 [details]
Bug 589628 - Broaden search criteria to include subdomains in context menu.

Woops, moving this patch to 1200472.

Note You need to log in before you can comment on or make changes to this bug.