no way to clear the master password

VERIFIED FIXED in psm2.1

Status

Core Graveyard
Security: UI
P1
major
VERIFIED FIXED
17 years ago
a year ago

People

(Reporter: Jesse Ruderman, Assigned: Kai Engert)

Tracking

Other Branch
psm2.1
x86
Windows 98

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: PDT)

Attachments

(3 attachments)

(Reporter)

Description

17 years ago
Edit->Preferences->Privacy and Security->Master Passwords

I can't figure out how to get rid of my master password once I've set one.  I 
can change it, but I can't get rid of it.

I'm running Mozilla build 2001 062204 on Win98.

Comment 1

17 years ago
The Change Password dialog should allow null passwords.  Currently, there is no
way to revert to a null password.  I think that's because the JS code looks to
make sure both new password fields are the same, and non-null.  The requested
change is to allow null passwords.

When we do this, I'd like to add a JS alert saying something like:
--
Warning!  You have deleted your Master Password, thereby eliminating the
protection of your private keys and your stored web passwords.  
--

That needs work, but you get the idea.


Priority: -- → P3
Target Milestone: --- → 2.1

Updated

17 years ago
Keywords: nsenterprise

Comment 2

17 years ago
Moving all P3 and P4 bugs targetted to 2.1 to future.
Target Milestone: 2.1 → Future

Comment 3

17 years ago
removing nsenterprise keyword from PSM bugs with target milestone of future.
Keywords: nsenterprise

Comment 4

17 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer

Comment 5

17 years ago
 Netscape 6.1 Suggestion
 
Primary Browser: 	ntsc61  
Language: 		English  
Component: 		Security
Suggestion Category: 	Improvements  
Issues Details: 
I would like to be able to disable the Master
Password in Security without losing all my info. I
find it very inconvenient to enter a password
every time I log on to get my mail. I wish I had
never used it to begin with, because now I'm stuck
with it. I also miss the green arrow, and sound of
my choice when I receive new mail. I do, however
like many other features of Netscape 6.1.

Comment 6

17 years ago
P3 -> P1  
There have been several complaints from people who want to have a null password
after having set one.

I'm also going to set it back to PSM 2.1 (from Future) for another look. 
Stephane will probably want to move it back out to Future because of time
constraints, but I want to give it one last shot before giving up.

Priority: P3 → P1
Target Milestone: Future → 2.1

Comment 7

17 years ago
kai
Assignee: ddrinan → kai.engert
(Assignee)

Comment 8

17 years ago
Fixing this bug results in additional changes in application behaviour.

Currently, a user is *forced* to set a password the first time some private data
are stored, e.g. a private key. At this time, the application does not allow the
user to set an empty password. The OK is simply disabled when there is no
password entered.

If we add a patch to allow the user to clear the password later, it doesn't make
sense to enforce the user to set one.

I therefore was required to change these cases, too.

I'm attaching a suggested implementation. This seems to work, but I'm not sure
whether I really thought of all combinations that might occur.
Bob (Relyea): To implement this corretly, I need to decide whether the PKCS#11
slot has already been initialized, but is currently using an empty password.
Please have a look at nsPKCS11Slot::GetStatus at
http://lxr.mozilla.org/mozilla/source/security/manager/ssl/src/nsPKCS11Slot.cpp#166

Can I assume that the SLOT_READY case is what I want? Or do you suggest, that we
should use a different combinations of PK11_xxx calls to be sure that the slot
is initialized but has an empty password?

I don't want to use the PK11_CheckPassword function to find out, as I fear, if
we reuse the new code in the future for hardware tokens, multiple unsuccessful
calls to PK11_CheckPassword with the wrong password might deactivate a hardware
token.

Status: NEW → ASSIGNED
(Assignee)

Comment 9

17 years ago
Created attachment 47797 [details] [diff] [review]
Suggested implementation
(Assignee)

Comment 10

17 years ago
Sean, can you please have a look at the bottom of the patch? I'm adding three
strings, which are combined at runtime into two different messages. I.e. either
message 1+3 or 2+3. (I thought it will be easier for localization if we reuse
string 3).

Do you want to change these strings?

Comment 11

17 years ago
NSS supports the internal key database in 3 states:
1) Uninitiallized. There is no password. The key database cannot be used until
it is initialized.
2) Initialized with a NULL password (""). In this case the token is treated as a
public token and keys can be accesses without the use of a password. From an
application point of view you never get a password prompt.
3) Initialized with a password. In this case the token is treated as a private
token, and must be 'logged-in' before access to the keys are granted.

This 3 state system was used to preserve the pre-pkcs #11 communicator
semantics, where you are asked to provide a password on the first use of an
uninitialized database. At that time you could choose to run with no password.
If PSM is trying to avoid state '2', that would explain the UI which prevents
NULL passwords.

So how can you tell the three states?

There are to functions PK11_NeedLogin(slot) and PK11_NeedUserInit(slot)

They are set as follows:
State 1:
PK11_NeedLogin     PR_TRUE          PK11_NeedUserInit           PR_TRUE
State 2:
PK11_NeedLogin     PR_FALSE         PK11_NeedUserInit           PR_FALSE
State 3:
PK11_NeedLogin     PR_TRUE          PK11_NeedUserInit           PR_FALSE

bob

Comment 12

17 years ago
+pw_erased_ok=Warning! You have deleted your Master Password. 
- fine

+pw_not_wanted=Warning! You have decided to not use a Master Password.
Change to "You have decided not to use a Master Password."

+pw_empty_warning=Your private keys and your stored web passwords will have no
protection.
Change to "Your stored web and email passwords, form data, and private keys will
not be encrypted."
(Assignee)

Comment 13

17 years ago
When the code with "status = SLOT_READY" is reached, we know for sure that we
have not state 1 and not state 3, as PK11_NeedLogin must be PR_FALSE. Although
there is no explicit check for the value of PR_NeedUserInit, we can assure it
must be PR_FALSE from Bob's explanation. I'll therefore continue to use
SLOT_READY to decide this token has a null password.


I'm adding Sean's changes.
David, can you please review the next patch?
(Assignee)

Comment 14

17 years ago
Created attachment 48069 [details] [diff] [review]
Patch rev. 2

Comment 15

17 years ago
adding patch review keywords.
Keywords: patch, review

Comment 16

17 years ago
adding nsentreprise to keywords.
Keywords: nsenterprise

Comment 17

17 years ago
marking nsenterprise+
Keywords: nsenterprise → nsenterprise+

Comment 18

17 years ago
r=ddrinan.
Comment on attachment 48069 [details] [diff] [review]
Patch rev. 2

sr=blizzard
(Assignee)

Comment 20

17 years ago
Patch checked into trunk. I don't close this bug yet, as we want this patch on
the branch, too.

Updated

17 years ago
Whiteboard: PDT

Comment 21

17 years ago
a=asa for checkin to 0.9.4 branch

(Why isn't PSM using the wonderful new Patch Tracker for tracking review and
super-review?)
(Assignee)

Comment 22

17 years ago
Created attachment 48486 [details] [diff] [review]
Changing one word in user interface string only "not encrypted" =>  "not protected"
(Assignee)

Comment 23

17 years ago
ssaux said: "The last alert tells the user that the web passwords will not 
be encrypted anymore. We should change that to "not protected" . The 
reality is that they are encrypted, but with a null password."

That's the reason for the new patch.
Comment on attachment 48486 [details] [diff] [review]
Changing one word in user interface string only "not encrypted" =>  "not protected"

sr=blizzard
(Assignee)

Comment 25

17 years ago
Checked in to trunk and branch, closing bug.
Status: ASSIGNED → RESOLVED
Last Resolved: 17 years ago
Resolution: --- → FIXED
(Reporter)

Comment 26

17 years ago
Eww, encrypted with a null password?  That doesn't sound great for 
performance...

Comment 27

17 years ago
Performance of what? Signing/Unwrap? The 256 byte triple-DES decrypt of a
private key is more than swamped by 128 byte RSA sign/unwrap operation.

The neglible performance cost of this operation is weighed against the benefits
of simpler code (keys are always encrypted), and the extra security inside the
client process because the nature of the private key is obscurred from key
scanning programs except when the key is in actual use. 

Comment 28

17 years ago
Verified on
build: 2001-09-13-0.9.4
platform: Win NT

Under Edit->Preferences->Privacy and Security->Master Passwords

I selected the null password and got the security warning.
Status: RESOLVED → VERIFIED

Updated

13 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
Product: Core → Core Graveyard
You need to log in before you can comment on or make changes to this bug.