Closed Bug 675883 Opened 13 years ago Closed 13 years ago

When sync is on, and there's a master password, the master password dialogue keep popping up

Categories

(Firefox :: Sync, defect)

x86
Windows XP
defect
Not set
normal

Tracking

()

RESOLVED WONTFIX

People

(Reporter: szhorvat, Unassigned)

Details

(Whiteboard: [closeme 2011-09-15])

User Agent: Mozilla/5.0 (Windows NT 5.1; rv:8.0a1) Gecko/20110801 Firefox/8.0a1
Build ID: 20110801030916

Steps to reproduce:

Set up sync (make sure another device is present as well, so there's something to sync), set a master password, and restart the browser.


Actual results:

Upon browser startup, or soon after, the master password dialogue will pop up.  If "Cancel" is clicked, it'll pop up again after a while.


Expected results:

Firefox should sync if the master password has been entered previously, it should not sync if it has not been entered, but it should not explicitly ask for the master password (it's an annoyance).  This is how early versions of the sync extension behaved.

Notes: affected versions: at least 5.0-8.0
(In reply to Szabolcs Horvát from comment #0)
> This is how early versions of the sync extension behaved.

That might have been bug 530697. Not sure if it's still related.
Component: General → Firefox Sync: UI
Product: Firefox → Mozilla Services
QA Contact: general → sync-ui
Version: 8 Branch → unspecified
The current intended behavior is to prompt once after startup, and thereafter stay quiet unless you manually initiate a sync.

It's conceivable that Instant Sync has regressed in this regard, but I would be surprised.

QA, would you mind spending fifteen mostly idle minutes making sure that everything still behaves? I believe the contents of

  https://bugzilla.mozilla.org/show_bug.cgi?id=671422#c6

are still valid.

Thanks!
Whiteboard: [qa?]
Is there an option to change this behaviour and turn off the prompt (caused by sync) completely?  It is quite annoying.  I did not know it was the intended behaviour.

I definitely do get MP prompts even after having clicked Cancel, however I'll have to test again if that is indeed due to sync or some extension.  I only verified that the first MP prompt happens in a new profile.
(In reply to Szabolcs Horvát from comment #3)
> Is there an option to change this behaviour and turn off the prompt (caused
> by sync) completely?  It is quite annoying.

No, you can't change this behavior without disabling Sync. A single prompt per launch of the browser is not what we'd consider onerous.

> I definitely do get MP prompts even after having clicked Cancel, however
> I'll have to test again if that is indeed due to sync or some extension.  I
> only verified that the first MP prompt happens in a new profile.

The first master password prompt is intentional. We found that a lot of users would complain that Sync had not synced for weeks at a time, because we didn't prompt for their MP, and they would rarely unlock it. Prompting once and never again if you hit Cancel seems like a reasonable compromise, and makes it more likely that Sync will actually get a chance to run.

If you get precisely one MP prompt in a new profile, let me know and I'll resolve this bug. Any more, and we need to investigate further.
Whiteboard: [qa?]
Whiteboard: [closeme 2011-09-15]
(In reply to Richard Newman [:rnewman] from comment #4)
> (In reply to Szabolcs Horvát from comment #3)
> > Is there an option to change this behaviour and turn off the prompt (caused
> > by sync) completely?  It is quite annoying.
> 
> No, you can't change this behavior without disabling Sync. A single prompt
> per launch of the browser is not what we'd consider onerous.

Personally, I wouldn't use the word onerous as that describes difficulty.  Instead I would use a word like annoying, aggravating and perhaps unexpected.  I had to personally stop using Sync because of this ONE issue.  I'd prefer not to recount my aggravation directly, but I wrote many of my complaints somewhere else if you care to understand the problems.
http://support.mozilla.com/en-US/questions/792278

Other problems that I had not described are issues regarding other people that may use one of my several sync'ed computers.  They'll borrow my laptop to look at something on the web and randomly they'll get prompted for a password.  Of course they'll have no idea why.  It's a completely unexpected response from the browser and it cannot be ignored.


> The first master password prompt is intentional. We found that a lot of
> users would complain that Sync had not synced for weeks at a time, because
> we didn't prompt for their MP, and they would rarely unlock it. Prompting
> once and never again if you hit Cancel seems like a reasonable compromise,
> and makes it more likely that Sync will actually get a chance to run.

It's not that I can't understand this.  I cannot understand why it's not optional.  I would have been ecstatic with an about:config method of turning this off.  But all I read is, "it's intentional" and nothing more.

So I really have to ask.  Why isn't it an option?  In the UI or in the about:config page?  I read old bug reports in this system that decried the idea of annoying users with unexpected password prompts( #524221 )... but it was later forgotten and undone.
(In reply to Richard Newman [:rnewman] from comment #4)
> If you get precisely one MP prompt in a new profile, let me know and I'll
> resolve this bug. Any more, and we need to investigate further.

In a bit more than 15 minute's time I only got 1 prompt.  *If* it is indeed correct that sync is re-tried in 15 minutes, which I can't verify, then sync triggers only one MP prompt.

Tested with this build: http://hg.mozilla.org/projects/ux/rev/4831f2866c5a
(In reply to Jacob Johnson from comment #5)
> (In reply to Richard Newman [:rnewman] from comment #4)
> > (In reply to Szabolcs Horvát from comment #3)
> > > Is there an option to change this behaviour and turn off the prompt (caused
> > > by sync) completely?  It is quite annoying.
> > 
> > No, you can't change this behavior without disabling Sync. A single prompt
> > per launch of the browser is not what we'd consider onerous.
> 
> Personally, I wouldn't use the word onerous as that describes difficulty. 
> Instead I would use a word like annoying, aggravating and perhaps
> unexpected.  I had to personally stop using Sync because of this ONE issue. 
> I'd prefer not to recount my aggravation directly, but I wrote many of my
> complaints somewhere else if you care to understand the problems.
> http://support.mozilla.com/en-US/questions/792278
> 

Jacob, thank you for showing that I am not the only person affected by this.  My choice was also to stop using sync when I learned that it is unlikely that this will get fixed.

I really hope that this point will be reconsidered.  The people who made this choice obviously don't use sync the same way we do, or don't have a master password set.  However Mozilla is a large enough organization that it is able to do enough testing and research to cater for every use case.

While I understand the reason for the original decision, it is important that there should be an option to change this behaviour.  The current state both discourages the use of the master password (bad) and makes sync very inconvenient for those for whom an hour-to-hour sync is not essential (again bad).

Before closing this issue, please do try to use sync with a MP for a while to understand the situation better.
(In reply to Jacob Johnson from comment #5)

> I had to personally stop using Sync because of this ONE issue. 
> I'd prefer not to recount my aggravation directly, but I wrote many of my
> complaints somewhere else if you care to understand the problems.
> http://support.mozilla.com/en-US/questions/792278

I've read your concerns. Thanks for taking the time to write them up.

(Bugs are best if you expect a response, by the way. It's rare that I remember to check SuMo, let alone old answers on SuMo.)
 
> Other problems that I had not described are issues regarding other people
> that may use one of my several sync'ed computers.  They'll borrow my laptop
> to look at something on the web and randomly they'll get prompted for a
> password.  Of course they'll have no idea why.  It's a completely unexpected
> response from the browser and it cannot be ignored.

This is nothing to do with Sync. If you have Firefox remember passwords, and you've turned on Master Password, then this is what happens.

What alternative would you have occur?

This is exactly the same behavior as if you kept your Mac keychain locked and viewed a page in Safari.

Credential access is one of those things for which the user experience sucks. We hope to make it better over time (perhaps by avoiding situations in which it is required: e.g., by providing an easy way to switch users in the browser), but it'll probably never be delightful. And it's certainly nothing to do with Sync; the only time you'll get a MP prompt from Sync is the first sync after startup.


> > The first master password prompt is intentional. We found that a lot of
> > users would complain that Sync had not synced for weeks at a time, because
> > we didn't prompt for their MP, and they would rarely unlock it. Prompting
> > once and never again if you hit Cancel seems like a reasonable compromise,
> > and makes it more likely that Sync will actually get a chance to run.
> 
> It's not that I can't understand this.  I cannot understand why it's not
> optional.  I would have been ecstatic with an about:config method of turning
> this off.  But all I read is, "it's intentional" and nothing more.

Because if we add a config parameter it makes an already hard to test part of Sync even more complex, and that config parameter needs to be maintained, migrated, documented, etc. for years. This is a non-trivial cost for a tiny benefit to a tiny set of users. I could easily imagine that fewer than a hundred people worldwide would ever use it. Would you spend, say, 50 hours of expensive engineer and QA time per year to maintain this feature for less than a thousandth of a percentage of Firefox's user base?

> So I really have to ask.  Why isn't it an option?  In the UI or in the
> about:config page?  I read old bug reports in this system that decried the
> idea of annoying users with unexpected password prompts( #524221 )... but it
> was later forgotten and undone.

On the contrary; we've revisited Master Password interactions with Sync a number of times, and will continue to do so. We just have many more considerations to weigh against each other than you might think.
(In reply to Szabolcs Horvát from comment #7)

> I really hope that this point will be reconsidered.  The people who made
> this choice obviously don't use sync the same way we do, or don't have a
> master password set.

This decision was made with the input of a wide variety of users, both inside and outside MoCo, and the benefit of experience stretching back to the Weave days and beyond. One of the deciding inputs, in fact, was a user who observed that Sync often wouldn't sync for weeks because it *didn't* prompt for the master password. That's a massive source of user frustration: "hey, why are my bookmarks not syncing? where are my desktop tabs?". We opted to fix that rather than to have Sync simply stay quiet.

> However Mozilla is a large enough organization that it
> is able to do enough testing and research to cater for every use case.

I'd love to know where you get your facts from!

> While I understand the reason for the original decision, it is important
> that there should be an option to change this behaviour.  The current state
> both discourages the use of the master password (bad)

IMO, the usability of the master password system is what discourages use of the master password. I don't think a modal prompt to unlock on first sync is much more annoying than a modal prompt to unlock when first auto-filling a password.

> and makes sync very inconvenient for those for whom an hour-to-hour sync is not essential

Why do you say that?

Are you assuming that Sync prompts hourly?

Sync now does micro-syncs every time data changes ("Instant Sync"). If you were getting a MP dialog on every sync, you'd have one every time you browsed to a new page!

> Before closing this issue, please do try to use sync with a MP for a while
> to understand the situation better.

Believe it or not, we do.
(In reply to Richard Newman [:rnewman] from comment #8)
> (In reply to Jacob Johnson from comment #5)
> {...}
> > Other problems that I had not described are issues regarding other people
> > that may use one of my several sync'ed computers.  They'll borrow my laptop
> > to look at something on the web and randomly they'll get prompted for a
> > password.  Of course they'll have no idea why.  It's a completely unexpected
> > response from the browser and it cannot be ignored.
> 
> This is nothing to do with Sync. If you have Firefox remember passwords, and
> you've turned on Master Password, then this is what happens.
> 
> What alternative would you have occur?
> 
> This is exactly the same behavior as if you kept your Mac keychain locked
> and viewed a page in Safari.
> {...}

I'm afraid you jumped to a wrong conclusion from what I wrote since I wasn't specific.  In the above example, these alternate users visited generic websites that did not require passwords or did not have logins stored in my password manager.  The master password prompt was entirely because Sync wanted to do its thing randomly near the beginning of the browser session.  Keep in mind that I haven't used Sync in 4-5 months and at the time, when it wanted to sync seemed entirely random within the first five minutes.  I wrote in that help forum link that I would have a Master Password prompt randomly appear while I was doing other important things, like writing emails, watching movies(or being in other applications).

> {...}I cannot understand why it's not
> > optional.  I would have been ecstatic with an about:config method of turning
> > this off.  But all I read is, "it's intentional" and nothing more.
> 
> Because if we add a config parameter it makes an already hard to test part
> of Sync even more complex, and that config parameter needs to be maintained,
> migrated, documented, etc. for years. This is a non-trivial cost for a tiny
> benefit to a tiny set of users. I could easily imagine that fewer than a
> hundred people worldwide would ever use it. Would you spend, say, 50 hours
> of expensive engineer and QA time per year to maintain this feature for less
> than a thousandth of a percentage of Firefox's user base?
 
I'm a little bit underwhelmed by your estimation.  The requirements for this issue is a user having Sync enabled and having a Master Password.  At the time of my last usage, the dialog box popping up randomly while I was doing other things literally made me angry.  I try to consider myself a patient person, too.  (I seem only able to be angry at computers for some reason)  If it makes me angry, I wish and hope that it would at least annoy other people enough to turn it off given the option.  The lack of this "tiny benefit" makes me unable to use it.  I've spent many hours trying to find a sidestep solution all the way to trying to get Weave 1.6 working in FF4/5/6.

The support.mozilla question I commented on got most of its "me too" votes rather quickly... and I might add that it is extremely hard to find that post given the sea of other things searching those keywords pops up.

Are the number of users using Sync and Master Passwords really such a low demographic of FireFox users?  You've pushed Weave from a labs addon into part of the browser itself.  I wish everyone used Master Passwords honestly, but I know it's not remotely true.  But the idea that someone could take a screenshot of my password manager or swipe the SQLite file that stores it should be a shocking security risk to people.  I really have weighed either having Sync or having a Master Password.  Sync lost the logic battle so I cannot use it anymore.  It would probably disappoint me to learn how many people do not use something that I see as so important.

> > So I really have to ask.  Why isn't it an option?  In the UI or in the
> > about:config page?  I read old bug reports in this system that decried the
> > idea of annoying users with unexpected password prompts( #524221 )... but it
> > was later forgotten and undone.
> 
> On the contrary; we've revisited Master Password interactions with Sync a
> number of times, and will continue to do so. We just have many more
> considerations to weigh against each other than you might think.

It just doesn't seem that way on the outside most of the time.  I remember reading a blog post/comment of what I presume was a Mozilla developer saying that this was going to be the new functionality, the next post more or less begging them not to, and then the topic died there.

I don't even want to know all of the internal discussions that go on that I cannot see.  It just becomes disappointing when something that I used and loved becomes something that evokes the inverse of the previous state because it was dumbed down for the masses too far.  It's why I could never use IE.

Maybe that is creeping into my tone(of writing?) and why you feel the need to write things like that.
(In reply to Jacob Johnson from comment #10)

Bugzilla isn't really the place for discussions like this. It's for discussing implementation, not arguing over product direction. But I appreciate that you have concerns that you don't feel have been addressed, so I will do my best to address them.

Then I'm going to close this bug :)

> The master password prompt was entirely because Sync
> wanted to do its thing randomly near the beginning of the browser session.

So if it's annoying to have Sync prompt immediately on launch, and it's annoying to have it prompt at some later time, and we already know it's untenable to simply not sync until the user unlocks their master password for a long stretch of time, we're kinda out of perfect solutions, wouldn't you say?

> Are the number of users using Sync and Master Passwords really such a low
> demographic of FireFox users? 

Yes. Consider that not all Sync users even sync passwords, and that few people use MP to start with.

Furthermore, how many would know about and choose to use a pref to not prompt for MP on launch? How many MP and Sync-using users actually quit their browser more than once a week, anyway?

So now we're down to waaaaaay less than a million users (probably a few hundred or a few thousand!), versus potential work that could impact hundreds of millions.

In order to maintain that feature we need to do QA every week that we touch related code, and every six weeks as we branch. That's an ongoing commitment. An engineer has to write the code, make sure that prefs migrate correctly, that syncing that pref doesn't break Fennec.

Compared to "improve performance of Sync", "sync add-ons and favicons", and other things on our roadmap, spending the time to add and maintain a pref for a handful of users simply isn't a good use of resources.

I will even go so far as to say I won't accept a patch for this, because contributors (love them though we do) very rarely have the kind of longstanding stewardship that would offset these costs.

These are some of the problems that software engineering tries to address.


> But the idea that someone could take a
> screenshot of my password manager or swipe the SQLite file that stores it
> should be a shocking security risk to people.

I agree.


> I don't even want to know all of the internal discussions that go on that I
> cannot see.  It just becomes disappointing when something that I used and
> loved becomes something that evokes the inverse of the previous state
> because it was dumbed down for the masses too far.  It's why I could never
> use IE.
> 
> Maybe that is creeping into my tone(of writing?) and why you feel the need
> to write things like that.

I appreciate your feelings on the matter. We do the very best we can to keep our discussions and our planning public -- both on wiki.mozilla.org, and in #sync on IRC -- but it can be difficult for people who don't spend 60 hours a week on this stuff to acquire enough expertise and experience to contribute to some of these steering discussions.

Sync's primary issue, as has been thoroughly illuminated by extensive user research, is complexity. Complexity in setup, complexity and uncertainty in use. Adding preferences and allowing the behavior of Sync to be modified by undocumented configuration settings is going in exactly the wrong direction.

Weave started as something of an add-on for enthusiasts. It was unreliable, slow, overly general in some ways, but it accomplished its goal of helping to define what browser syncing should be. We do not believe that Firefox Sync and the Weave add-on try to achieve the same goal.

Our goal for Sync is that it be as close to a single checkbox as possible. Check the box, and all of your devices have the same data. This is why we WONTFIX bugs like "I want to sync only some of my bookmarks", or "let me set up complicated multidirectional syncing relationships". Non-goals.

The real solution to your poor user experience is to make Master Password suck less. And that's massively outside the scope of Sync.

In short: we do the best we can to make as many people happy as possible. Master Password sucks. Sorry.
Status: UNCONFIRMED → RESOLVED
Closed: 13 years ago
Resolution: --- → WONTFIX
Well I see this thread is somewhat old--but I am having the self same Master Password problem with the latest version of FireFox on both my Mac and my PC. Not only does it pop up as soon as I boot up the browser it KEEPS on popping up at the most unexpected and inappropriate times while I'm using it. I guess disabling the sync passwords option might stop the initial pop up but don't know about the rest. I used to love the Master Password function when it only worked when you wanted to get into your passwords or a password protected site. Now it is so annoying I think I'll simply switch to Chrome.
And I WANT to sync the passwords of course!
Well, not only is the bug old, but it's closed as well.

What you should take out of this is the last two paragraphs from Richard Newman.  The Master Password prompt sucks.  Instead of trying to get Sync changed... try to get the Master Password prompt changed.

In the interm, now that you know what the problem is, you can try to go after that new goal.  My solution was to use an addon directly tied to the Master Password prompt.
https://addons.mozilla.org/en-US/firefox/addon/master-password/

Unfortunately it seems with every other FF release, this addon is able to work less and less.  It used to be able to almost completely suppress the prompts, but now the prompt visibly flickers and sometimes gets stuck open if Weave/Sync loads and prompts before this addon gets a chance to load.  The prompt is still able to steal focus away from full-screen YouTube etc, also... but it's far better than nothing.
Firefox Account-based Sync doesn't store your credentials in Password Manager, so it doesn't (or shouldn't) need to prompt you for your Master Password in order to sync. It does, of course, need to do so in order to sync your passwords.

That version of Sync is coming in Firefox 29 (in Aurora right now).

But more generally, I would advise you to use Bitlocker (Windows) or Filevault (Mac), with appropriate security settings (e.g., screen locks), and simply turn off MP.

MP's user interaction is -- as you can see -- poor, and it's significantly weaker than OS-level whole-disk encryption solutions. You get immeasurably more bang for the buck by using OS security features, and you sidestep all the pain of trying to use MP.
Component: Firefox Sync: UI → Sync
Product: Cloud Services → Firefox
You need to log in before you can comment on or make changes to this bug.