Last Comment Bug 809682 - Master Password prompt/dialog needs a redesign
: Master Password prompt/dialog needs a redesign
Status: RESOLVED WONTFIX
:
Product: Firefox
Classification: Client Software
Component: Security (show other bugs)
: unspecified
: All All
: -- normal with 8 votes (vote)
: ---
Assigned To: Nobody; OK to take it and work on it
:
Mentors:
: 626376 (view as bug list)
Depends on:
Blocks: masterpassword
  Show dependency treegraph
 
Reported: 2012-11-07 16:51 PST by manwesulimo2004
Modified: 2015-02-02 18:04 PST (History)
28 users (show)
davemgarrett: needinfo? (manwesulimo2004)
See Also:
Crash Signature:
(edit)
QA Whiteboard:
Iteration: ---
Points: ---
Has Regression Range: ---
Has STR: ---


Attachments
Master password dialog mockup (165.33 KB, image/png)
2012-11-07 16:51 PST, manwesulimo2004
no flags Details

Description manwesulimo2004 2012-11-07 16:51:46 PST
Created attachment 679451 [details]
Master password dialog mockup

The password manager has been bugging me for ages. I've whipped up a quick mockup of how I think a better master password dialog could look. It should fix the following issues:

-------------------------------------
- #1 Dialog can open more than once -
-------------------------------------
Ok, this one could be fixed with any other dialog too.

This should fix the following bugs:
https://bugzilla.mozilla.org/show_bug.cgi?id=95397
https://bugzilla.mozilla.org/show_bug.cgi?id=177175
https://bugzilla.mozilla.org/show_bug.cgi?id=625051

-------------------------------------------------------------------------
- #2 Can't interact with underlying Firefox window while dialog is open -
-------------------------------------------------------------------------
This can be really annoying if you start Firefox and it loads up a YouTube page. You want to stop the video? Mute it? Not a chance with the old dialog. The new dialog doesn't get in your way.

------------------------------------------------------
- #3 Not obvious why the password is being requested -
------------------------------------------------------
The new dialog informs the user which site it is requesting login data for.

-----------------------------
- #4 Can't display password -
-----------------------------
The combination of issues #1 and #4 with long passwords can be particularly annoying. I would frequently be entering my password and have a second instance of the old password dialog pop up. Half my password would end up in one dialog and half in the other. But instead of being able to edit the password by adding the missing half I would have to delete everything and start from scratch because I couldn't see the characters I have already typed.

----------------------------------------------------------------------------
- #5 Inconsistent look (doesn't integrate into the rest of Firefox nicely) -
----------------------------------------------------------------------------
The new dialog has a familiar look, borrowing from other dialogs such as the "add extension" and "save password" dialog.

This should also fix the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=101611

-------------------------------------
- #6 No feedback for wrong password -
-------------------------------------
I haven't got a mockup for this yet, but the new dialog informs the user when the entered password is incorrect.

This should fix the following bug:
https://bugzilla.mozilla.org/show_bug.cgi?id=302238

-----------------------------------------
-----------------------------------------

Now this mockup isn't pixel perfect or finalised in general but I thought I'd throw it out there to get feedback from others. It would also be great to find some volunteers who would be willing to implement this. I'll look into coding it myself but I'm new to the code base and have limited time so I don't know how well that will go.
Comment 1 Josh Matthews [:jdm] 2012-11-07 17:00:39 PST
Roping in dolske, who knows the password manager code, and stephen, who might have UX feedback.
Comment 2 Justin Dolske [:Dolske] 2012-11-07 23:21:20 PST
Items 1/2/3 from comment 0 are essentially unfixable due to deep technical issues. Or, to use different phrasing, it would take a _lot_ of time and energy from someone who's familiar with NSS/PSM internals, and I'm doubtful if such a change would end up being accepted as having a poor cost/benefit ratio.

Item 4 is doable. I'd probably want to generalize it as a solution for _all_ password fields. (IIRC there is (was?) some work done on mobile to make password fields briefly show the last character typed, that would play into this too.) The technical work here is easy, but we'd want to have some careful UX and security discussions about what should be done by default and how we expose this to users.

Items 5 and 6 are fair. Could be hard to fix due to PSM callback structure, but otherwise sounds like general UI cleanup.


That said...


I think we're more interested in ways of replacing the current "master password" stuff than trying to tweak it into working better. That means going back to look at fundamental use cases, determining what's important, and how to best support those UI flows.

We started a bit of work on this last summer, but it's since been back burner'd. The general concept was "sign into your browser", based on BrowserID. I think it's a far better experience to do something like that than attempt global unlocking when some random thing requests a password. (Along with better access control granularity. It's a bit silly that my icanhazcheeseburger.com login and bank password are treated equivalently.
Comment 3 Gervase Markham [:gerv] 2012-11-08 02:51:52 PST
What is a "Software Security Device" and why does it want my password?

How about:

"To prefill stored data on this site, enter your Master Password:"

or something like that?

Gerv
Comment 4 manwesulimo2004 2012-11-08 04:06:00 PST
Oh yeah, good point. I forgot to mention that it is merely place-holder text.
Comment 5 Cyril 2012-11-08 05:20:50 PST
This bug is tagged "Firefox", but source code with Thunderbird Master Password is probably shared, doesn't it?

Please, consider a check-box "On line / Off line" with master password prompt to allow exceptional off-line connection (or a valid 1 cancel action on master password dialog box with no other password prompt).
Comment 6 manwesulimo2004 2012-11-08 05:53:15 PST
Sorry, but I don't understand what you're asking for. What should the online/offline check-box do? And what is the cancel action you mentioned? The current mockup has an "x" to close it so it doesn't require a cancel button.
Comment 7 Brian Smith (:briansmith, :bsmith, use NEEDINFO?) 2012-11-08 12:23:55 PST
I am concerned about how similar the proposed doorhanger is to the BrowserID login UI and how similar it would be to the new HTTP auth doorhanger. It looks like the site is asking for your master password. And, any site that would use HTTP auth would have a decent shot at tricking you into sending them your master password, because the UI would be so similar. (Also a problem now.)

(In reply to Justin Dolske [:Dolske] from comment #2)
> Items 1/2/3 from comment 0 are essentially unfixable due to deep technical
> issues. Or, to use different phrasing, it would take a _lot_ of time and
> energy from someone who's familiar with NSS/PSM internals, and I'm doubtful
> if such a change would end up being accepted as having a poor cost/benefit
> ratio.

One possible way to fix this: Categorize uses of NSS into two categories: operations that operate only on session keys (or no keys), and operations that operate on token keys.

Except in FIPS mode, we should be able to make it so we do all the operations on session keys without prompting for the master password:

Alternative 1: We could either change softoken so that it has a mode where it requires authentication only for operations on token keys and/or private keys.

Alternative 2: Instead of having one internal slot, we could have two. The first, default, internal slot would be used for almost all operations, and would never require a password. The second internal slot would be used for client cert private key operations and for SDR. Then we would change the few operations that need to use the second slot, things that use nsISecretDecoderRing, so that they check to see if we've logged into the second slot before they attempt any crypto operation. If not, avoid attempting the operation, then show the UI to log in with the master password.

If we did all of this, then the synchronous PKCS#11 password prompt callback would only be called in FIPS mode, or for client cert authentication, both of which are rare. We could do follow-up work to make them work better. For example, in FIPS mode, we could prompt for the master password before we even create any browser windows; it would not be a great UI but it would be much better than what we're doing now, especially regarding the impact on non-FIPS users. Client cert authentication in SSL probably requires its own login UI because it has to deal with smart cards and whatnot that might even have different passwords. (To be honest, I am not quite sure how such prompting works now.)
Comment 8 Zack Weinberg (:zwol) 2012-11-08 12:32:44 PST
(In reply to Brian Smith (:bsmith) from comment #7)
> I am concerned about how similar the proposed doorhanger is to the BrowserID
> login UI and how similar it would be to the new HTTP auth doorhanger. It
> looks like the site is asking for your master password. And, any site that
> would use HTTP auth would have a decent shot at tricking you into sending
> them your master password, because the UI would be so similar. (Also a
> problem now.)

I'd like to echo these concerns and emphasize that the UI we have now would be very easy for a website to spoof.  This is a Hard Problem in general -- see for instance http://lorrie.cranor.org/pubs/osframed.pdf -- but we shouldn't make it _easier_.
Comment 9 Michael Lefevre 2012-11-08 13:34:44 PST
(In reply to Gervase Markham [:gerv] from comment #3)
> What is a "Software Security Device" and why does it want my password?
> 
> How about:
> 
> "To prefill stored data on this site, enter your Master Password:"
> 
> or something like that?

The prompt isn't necessarily related to filling stored data on "this" or any site. If you're using Weave/Sync, then the prompt pops up 20/30 seconds after you start Firefox, if a sync is due (the fact that it pops up after a few seconds rather than immediately is annoying in itself - it's not enough time to do anything useful, so it just means you get interrupted just after you start doing something). Add-ons can also use the "Software Security Device" and so trigger the same prompt.

Several of the issues mentioned here so far have existing bugs filed (some of which are tracked by the meta bug 570421), and having a whole collection of issues in one bug is generally not a good way to get things done.

(In reply to manwesulimo2004 from comment #6)
> Sorry, but I don't understand what you're asking for. What should the
> online/offline check-box do? And what is the cancel action you mentioned?
> The current mockup has an "x" to close it so it doesn't require a cancel
> button.

He's referring to Thunderbird, which shares this dialog. And suggesting, for Thunderbird, ways around issues #1 and #2 in your original comment, assuming that they can't actually be fixed (that is, the "x" would close a single prompt, but a cancel action could close all the prompts).

Tweaking the appearance while leaving the underlying issues unfixed doesn't seem very worthwhile to me...
Comment 10 Cyril 2012-11-09 05:32:23 PST
@manwesulimo2004:
Thunderbird and Firefox can operate online or offline.
When default is online, master password prompt raise just after startup and makes offline button or menu unaccessible.
When using a mobile computer with local email folder, it can be useful to launch TB to read old email without beeing prompted for 10 email passwords (+ 30 calendars DAViCal passwords if Lightning installed).

So, it could be useful to switch to offline just after startup to dismiss all password prompts at once, and master password prompt dialog box seems to be a good candidate.
Comment 11 Robert Relyea 2013-01-08 12:25:29 PST
> Except in FIPS mode, we should be able to make it so we do all the operations on session keys 
> without prompting for the master password:

I'm confused, that should be the case now.

> Alternative 1: We could either change softoken so that it has a mode where it requires 
> authentication only for operations on token keys and/or private keys.

That's how it works today. If you are getting prompts for passwords in other cases, then you are either in FIPS mode, or incorrectly requested the database token to do a cryptographic operation.

> Alternative 2: Instead of having one internal slot, we could have two. The first, default, 
> internal slot would be used for almost all operations, and would never require a password.
> The second internal slot would be used for client cert private key operations and for SDR.
> Then we would change the few operations that need to use the second slot, things that use 
> nsISecretDecoderRing, so that they check to see if we've logged into the second slot before 
> they attempt any crypto operation. If not, avoid attempting the operation, then show the UI
> to log in with the master password.

This is how NSS implements Alternative 1. 

Brian's whole proposal in comment 7 actually describes how things work today.

bob
Comment 12 Florian Bender 2013-08-13 10:36:59 PDT
Bug 626376 is a duplicate of this one, please mark it as such.
Comment 13 Matthew N. [:MattN] 2013-08-13 10:38:53 PDT
*** Bug 626376 has been marked as a duplicate of this bug. ***
Comment 14 Steven 2013-12-22 05:44:14 PST
Just wanted to propose Bug 720159 be integrated with this Bug (Open Master password prompt on a secure desktop option).
Comment 15 Jay Libove 2014-10-11 00:15:22 PDT
I support the suggestion to use Windows Secure Desktop for Firefox Master Password prompts.

Also, I support the many suggestions to allow user-configurable timeouts on the Master Password (similar to LastPass' "Require Master Password Re-prompt" -> "Don't prompt me again for (configurable) time" function; AS WELL AS user-configurable per-Certificate (speaking now of imported Certificates with Private Keys) being able to mark a Certificate as ALWAYS require Master Password.

thank you.
Comment 16 manwesulimo2004 2014-10-24 01:43:06 PDT
I see there are some more suggestions for how the dialog works but those should probably be mentioned in new bug reports. As far as I can tell this issue was fixed a long time ago.
Comment 17 bugzilla_mozilla 2014-10-28 04:30:35 PDT
So what exactly has been fixed? I am not sure about your issue #1, but issues #2-#6 are still there!?
Comment 18 Dave Garrett 2014-10-28 11:03:42 PDT
This bug might've been closed in error, as based on comment 0 this is not WFM by a longshot. I'll reopen for now, but it's likely that the correct resolution is to dupe this to an alternative bug or to WONTFIX this instead.
Comment 19 Justin Dolske [:Dolske] 2015-01-09 15:43:45 PST
It's generally agreed among UX/Engineering/Product that we don't want to further develop the existing master password functionality, as it's a poor fit for current needs and our current direction in this area.
Comment 20 Zack Weinberg (:zwol) 2015-01-09 18:31:27 PST
I don't follow your logic.  As long as there's a password manager, it will make sense to allow (or perhaps, once the UX is up to it, *require*) users to provide a master password; as long as there's a master password, there needs to be some kind of prompt for it; it is universally agreed that the existing prompt is terrible and needs to be redesigned *somehow*.  

This bug seems as good a vehicle as any to do the redesign in, and IMHO is a better place than a fresh bug, since many of the people who care are already cc:ed.
Comment 21 Cyril 2015-01-10 00:09:05 PST Comment hidden (advocacy)
Comment 22 Michael Lefevre 2015-01-10 05:03:15 PST
Whether or not it was the right way to do it in bugzilla, it seems to have happened already - there is a series of new bugs filed and a new password manager roadmap - see bug 1118955
Comment 23 Zack Weinberg (:zwol) 2015-01-10 08:49:31 PST
(In reply to Michael Lefevre from comment #22)
> Whether or not it was the right way to do it in bugzilla, it seems to have
> happened already - there is a series of new bugs filed and a new password
> manager roadmap - see bug 1118955

I don't see anything in that roadmap or bug dependency tree relating to the UX for the master password, although there are a few related issues (stronger crypto for the file on disk, for instance).

Right now I am sorely tempted to reopen this again and add it to bug 1118955's dependencies; the only reason I'm not doing it is I don't have any time to offer to actually help out.
Comment 24 Jay Libove 2015-01-10 11:34:55 PST
Zack Weinberg said it very well in Comment 20.
It's a shame to see this abandonment of good sense and good security usability.
The only excuse will be if the very next version of Firefox eliminates the old password manager and replaces it with something good. 

Or disable password management entirely in Firefox (and Chrome and IE) and refer people to solutions like LastPass and other quality free password managers.
If you're concerned (as the dialog in bug 1118955 suggests) that other password managers are for "security conscious people only", then work with them to make easier to use versions of their free tools, rather than re-inventing a wheel which frankly has been well invented already by others.

Note You need to log in before you can comment on or make changes to this bug.