Closed
Bug 96018
Opened 23 years ago
Closed 23 years ago
Create "Reset Master Password" button
Categories
(Core Graveyard :: Security: UI, defect, P1)
Tracking
(Not tracked)
VERIFIED
FIXED
psm2.1
People
(Reporter: lord, Assigned: inactive-mailbox)
References
Details
(Whiteboard: PDT+, on trunk, waiting for 0.9.4 check in)
Attachments
(21 files)
3.93 KB,
patch
|
Details | Diff | Splinter Review | |
12.49 KB,
patch
|
Details | Diff | Splinter Review | |
11.36 KB,
image/png
|
Details | |
20.43 KB,
image/png
|
Details | |
12.07 KB,
patch
|
Details | Diff | Splinter Review | |
21.21 KB,
image/png
|
Details | |
10.21 KB,
image/png
|
Details | |
4.64 KB,
image/png
|
Details | |
52.22 KB,
image/jpeg
|
Details | |
23.10 KB,
image/jpeg
|
Details | |
6.98 KB,
image/jpeg
|
Details | |
12.58 KB,
patch
|
Details | Diff | Splinter Review | |
12.20 KB,
patch
|
Details | Diff | Splinter Review | |
20.19 KB,
image/gif
|
Details | |
10.71 KB,
image/gif
|
Details | |
7.91 KB,
image/gif
|
Details | |
22.41 KB,
image/gif
|
Details | |
5.06 KB,
image/gif
|
Details | |
3.57 KB,
image/gif
|
Details | |
12.17 KB,
patch
|
Details | Diff | Splinter Review | |
16.37 KB,
image/gif
|
Details |
This feedback comes from various sources, including the N6 feedback page which users can fill out. Many users create a master password and then forget it. They'd like a way to reset it. We should create a "Reset Master Password" button which would live in the Preferences window, under Privacy&Security/Master Passwords. It should warn the user that this operation cannot be undone, and that it will affect the following areas: -Saved web names and passwords -Personal certificates and keys -Changes to the trust bits on web sites and CAs etc.
Promoting to PSM 2.1, P2. We're getting lots of requests for this feature in the N6.1 feedback forms. Can we do this?
Priority: -- → P2
Target Milestone: --- → 2.1
Comment 2•23 years ago
|
||
NSS already has a function PK11_ResetToken() which can be used to reset the key database. The function turns off the user bits for the certs in the user database, but does not perturb the existing trust and web server bits. This function was added long ago to support this functionality, but was never hooked up to the client (as usual). Anyway the function has never been tested, but I just reviewed the code again and I don't see any problems with it visually. It's a generic function to reset any token, so it takes an SSO pin, which is "" in the case of the internal token. bob
From a user: Netscape 6.1 Problem Primary Browser: ntsc61 Operating System: Win98 Language: English Issue Summary: master passwords Component: Security Doing What: Changing preferences Severity: SomethingDidNotWorkRight Can Reproduce: Always Try this URL: http:// Issue Detail: im trying to set a master password here cuz the encryption item is checked......i wanted to uncheck it and it keeps asking me for my master password but im having trouble making 1 cuz when i try it wont accept it......help me here.....
Netscape 6.1 Problem Primary Browser: ntsc61 Operating System: WinME Language: English Issue Summary: Master Password/Web Password settings get corrupted Component: Security Doing What: Changing preferences Severity: SomethingDidNotWorkRight Can Reproduce: Always Try this URL: http://n/a Issue Detail: Having set master password for encrypting passwords earlier, and then going back and testing quality of master password and then canceling out, now the master password is not what was set and can not use encryption because the master password is now unknown!
Netscape 6.1 Problem Primary Browser: ntsc61 Operating System: WinNT Language: English Issue Summary: Cannot enter password Component: Security Doing What: Changing preferences Severity: SomethingDidNotWorkRight Can Reproduce: Always Try this URL: http:// Issue Detail: I am trying to enter a master password for the first time. It says "incorrect password". How can it be incorrect, I haven't entered one yet?
Comment 6•23 years ago
|
||
->kai. Kai, the implementation should either completely remove the cert db or it should remove all personal certs and reset the password. The former is probably easier to implement, but it may unnecessarily remove added CA cert, etc... Because of the high volume of requests from users who set a password and then forget it, we need to provide this functionality. Such users are also not sophisticated enough to go and delete the cert and key db on their own.
Assignee: ssaux → kai.engert
Priority: P2 → P1
Assignee | ||
Updated•23 years ago
|
Status: NEW → ASSIGNED
Assignee | ||
Comment 7•23 years ago
|
||
Where should we add the button to remove the password? One place where it should appear is "Preferences / Privacy / Master Password", where we could add the new button "Reset Password" next to the "Change Password" button. I wonder if we also should add it to the prompter asking for the master password? But if I remember correctly, the UI is already freezed for the 0.9.4 branch. This feature would add new buttons to the UI. Are we allowed to do this, or are we required to move this feature to 0.9.5? Regarding the warning text: Although I know that we don't support S/MIME yet, I wonder if we should already include the warning text, that this could influence encrypted e-mail. Imagine a scenario in one year from now, where a user has two versions of Mozilla (or Netscape) installed. An older one (based on 0.9.5 for example), and a newer one, which already includes S/MIME. Both versions will likely share the same profile. Resetting the token will have the effect of losing the ability to read encrypted e-mail. Should we add this warning to the text now?
Comment 8•23 years ago
|
||
We should not remove the cert database. As I noted in this bug already, there is an existing NSS function which removes the key database, and markes the user certs as normal certs (we could remove them if we wanted to as well). Even without the function, removing the key database would be sufficient to get 90% of the functionality. bob
Assignee | ||
Comment 9•23 years ago
|
||
I'm confused why you say we shouldn't delete the cert database, but only the key database. Does some earlier comment suggest the cert database should be removed? Regarding my comment to encrypted mail, I wanted to say that the user will lose the private keys, will be unable to read old archived encrypted mail, and will not be able to read encrypted mail from other people who still use the certificate. Maybe the warning text should include, that on resetting the password / key database, the user should go to their CA and ask for revocation of the now unusable certs. Your suggestion to use the PK11_ResetToken function looks great and makes fixing this bug easy, I will use it.
Assignee | ||
Comment 10•23 years ago
|
||
Bob, I just saw why you noted we shouldn't remove the cert database, it was mentioned in an earlier comment from Stephane that it could be done. Thanks for clearing that this is not necessary.
Comment 11•23 years ago
|
||
kai After talking with Bob Relyea and Bob Lord we think that the right thing to do is to call PK11_ResetToken(). The extra button should be in the Master Password overlay, where in a box between the "Change Master password" box and the "master password timeout" one. The box should be very similar to the Change master password: Here's somewhat of a mockup: I'm not sure how much we want to warn the user in terms of loosing any existing certs. The reality is that if they have forgotten the password, they already have lost them. -------------------------------- Reset Master Password You can reset your master password if you have forgotten it. This action will erase any personal certificates you may have. <Reset Password> ----------------------------------- When they click the button, we should have a "Are you sure" box pop up with an ok/cancel button, although that's even more UI change, so we may want to skip that, especially if we can find good warning language above.
Assignee | ||
Comment 12•23 years ago
|
||
I don't feel good with that suggestion. It makes it way too easy to delete all your private keys and web passwords. Before I agree I'd at least want to discuss what you think about the following. A user could accidentially click this button, which would cause him lots of trouble. A simple click shouldn't be enough to reset. Many people don't think before they click, they just do it when they see such a button and are in a hurry. The "are you sure" dialog is required as a minimum in my opinion. But I'd prefer going even one step further. In the "are you sure" dialog, I'd display a random numeric "erase confirmation code" in a text label, and ask the user to manually type that "erase confirmation code" (as opposed to ask a user to simply type yes, which might cause problems for different language distributions). That way, a user can't accidentially erase it, and will be reminded to think about it carefully. What about this: In the place you suggested, let's add the new "Reset Password" button. The dialog that pops up could look like that: ------------------------------------------------------- Reset Master Password (Explanation text that repeats what will happen, in addition to warn the user, this should only be done, if the password is really forgotton. A listing should be shown, which parts of the security database will be erased, i.e. personal certificates and web passwords.) To protect yourself from accidentially erasing the Master Password, you need to type in the following Reset Confirmation Code: 83748 (<- random) ------ Enter Reset Confirmation Code: | | ------ Are you really sure to reset and effectively delete as described above? This operation can not be undone. <Yes> <Cancel> <Help> -------------------------------------------------------
Assignee | ||
Comment 13•23 years ago
|
||
Regardless of what we decide, I began implementing the parts that we need with or without confirmation dialog. I'm attaching a patch. It seems to work. However, when you click the button twice, i.e. the function PK11_ResetToken is called the second time, the application crashes. I will provide more input on the crash. Should I open a separate bug?
Assignee | ||
Comment 14•23 years ago
|
||
Assignee | ||
Comment 15•23 years ago
|
||
Stack of crash: #0 0x4176cda7 in hash4 (keyarg=0x89da5d6, len=4294963210) at ../../../mozilla/dbm/src/h_func.c:185 #1 0x4176a791 in __call_hash (hashp=0x82114d0, k=0x89da5d6 "±\217`[Û0ö\216ÐÕÚÚÚÚ)", len=4294963210) at ../../../mozilla/dbm/src/hash.c:1153 #2 0x41769ce0 in hash_access (hashp=0x82114d0, action=HASH_DELETE, key=0xbfffc858, val=0x0) at ../../../mozilla/dbm/src/hash.c:859 #3 0x41769c46 in hash_delete (dbp=0x8211ed0, key=0xbfffc858, flag=0) at ../../../mozilla/dbm/src/hash.c:819 #4 0x41719a49 in SECKEY_ResetKeyDB (handle=0x820e858) at keydb.c:2444 #5 0x4170337c in NSC_InitToken (slotID=2, pPin=0x0, ulPinLen=0, pLabel=0xbfffc8d4 "Software Security Device $Éÿ¿çLfAH\e\"\b") at pkcs11.c:2716 #6 0x416e8ff3 in PK11_ResetToken (slot=0x8221b48, sso_pwd=0x0) at pk11slot.c:4281 The error seems to happen inside function SECKEY_ResetKeyDB. On line ret = (* handle->db->del)(handle->db, &key, 0); the variable key contains {data = 0x89da5d6, size = 4294963210} which looks wrong. BTW, data contains a member with the a similar size (4294967286). The loop iterates a few times, until it arrives at this invalid key. The same crash happens reproducible when I restart the application and call PK11_ResetToken. I tested what happens when I have a fresh empty certificate database, i.e. the one created by default during init. With this db, I can call PK11_ResetToken multiple times without crashing.
Reporter | ||
Comment 16•23 years ago
|
||
I agree that we need to make sure people don't click on the button by accident. I also like the confirmation dialog idea. I think a 3-digit confirmation would be good enough.
Assignee | ||
Comment 17•23 years ago
|
||
I'll attach the updated implementation, which includes the suggested confirmation dialog. The OK button only get's enabled when the user enters the correct confirmation code (as displayed in the dialog). I need assistance with good texts for the dialog. Sean, can you please help me?
Assignee | ||
Comment 18•23 years ago
|
||
Assignee | ||
Comment 19•23 years ago
|
||
Comment 20•23 years ago
|
||
Open a bug an the TokenReset Crash against NSS. bob
Assignee | ||
Comment 21•23 years ago
|
||
NSS crash moved to bug 97614.
Assignee | ||
Comment 22•23 years ago
|
||
Assignee | ||
Comment 23•23 years ago
|
||
If someone wishes changes to the user interface (except wording, Sean is working on it), please speak up.
Comment 24•23 years ago
|
||
After discussing this with some of the other writers and QA people, I'm beginning to think that having the user type in a random number as kai has proposed is a bad idea that is likely to confuse users and lead to more QA calls on this issue. From the user's point of view: What is this new number all of a sudden? Is this my new master password? My old one? Should I write it down? Should I type it in as my new password? Etcetera. Any strategy that attempts to make people stop and think by (a) reading a bunch of text and (b) doing something totally meaningless is dangerous. Chances are, they won't read or understand the text and they'll assign their own random meaning to the meaningless task. Why not take advantage of user's ingrained habits and make Cancel the default, highlighted button that's tied to the Enter key (rather than OK). Even people (like me) who like to click rather than type tend to click the highlighted button. There is a successful model for this approach: The activation screen that comes up with a new profile. The default is Activate. If you click Cancel, you get another dialog that says, "Are you really sure you want to do this" etc., where again the "best" course (OK in this case) is highlighted and Cancel is not. So what I'm proposing is: Click Reset Master password, and you see a dialog with some brief text that says something like, "you're about to do something really dangerous, are you sure you want to?" It has three buttons, Cancel OK and Help, with Cancel the default. If you click OK here, you get another dialog that says, "Are you really really sure?" in which the Cancel button is again the default. Only if they click OK this time will the password get changed. It might also help to call the danger button something more dramatic than OK, like "Destroy my old passwword." I will work on some specific text for this proposal and post it later this evening. If anybody has objections please speak up.
Comment 25•23 years ago
|
||
Sean: It's ok to eliminate the number if you think that's a problem. I'm against adding yet another dialog. The issue here is that we're past the UI freeze. Can you take Kai's screen shot, ignore the blurb and input box, and rephrase the text/buttons to give that sense of urgency. Kai: Can you prepare a patch that eliminates the check on the number. I'd like to be able to go tomorrow to the approvers and tell them that we have this UI issue.
Comment 26•23 years ago
|
||
OK, here's my proposed text. ----------------- For the new Master Passwords prefs panel section called Reset Master Password: ----------------- If you have forgotten your master password, you can reset it. Resetting your master password erases all your sensitive personal information, including stored web and email passwords, form data, personal certificates, and private keys. [ Reset Password ] ----------------- For the dialog titled Reset Master Password that appears when you click Reset Password: ----------------- WARNING: If you reset your master password, you will permanently erase all your stored web and email passwords, form data, personal certificates, and private keys. You should reset your master password only as a last resort if you have forgotten it. Are you sure you want to reset your master password and erase your sensitive personal information? [[ No ]] [ Yes ] [ Help ] ----------------- Note that "No" above is highlighted and tied to the Enter key. Does it make sense to put the highlighted button furthest to the left? I think Yes or No in answer to a direct question is better in this case than OK and Cancel. It would probably be better to make "Warning:" lowercase and boldface, but I'm not sure if you can do that here. What happens after you click Yes and the password for the selected token is reset? Preferably, the Set Master Password dialog immediately appears, with the appropriate token selected, and you set a brand new password without having to specify the old one. Or, you return to the Master Passwords prefs panel, in which case you need to click Change Password and (if there's a choice) select the correct token. I hope it's the former. The latter may confuse some users. I am working on new help for this, which I will check in as soon as you get approval and check in the fix.
Assignee | ||
Comment 27•23 years ago
|
||
> ----------------- > For the dialog titled Reset Master Password that appears when you click Reset > Password: > ----------------- > > WARNING: If you reset your master password, you will permanently erase all your > stored web and email passwords, form data, personal certificates, and private > keys. You should reset your master password only as a last resort if you have > forgotten it. > > Are you sure you want to reset your master password and erase your sensitive > personal information? > > [[ No ]] [ Yes ] [ Help ] That's fine with me, I just want to note a personal experience I made in the past. When users see such a message, stating that something dangerous will supposed to happen if they click the wrong button, they get nervous and prefer to see a cancel button. I count myself to the bunch of people who get nervous. A cancel button states very clear that it is bound to "don't do it". With the buttons yes and no, they have to be sure that they really understood the text. I like your text, but what about these labels for the buttons: [[Cancel]] [Erase & Reset] [Help] I agree to your suggestion with the keys that are bound to the buttons. Both the Escape key and the Enter key should be bound to Cancel. > Note that "No" above is highlighted and tied to the Enter key. Does it make > sense to put the highlighted button furthest to the left? Yes, I agree. > I think Yes or No in answer to a direct question is better in this case than OK > and Cancel. See above. I agree that OK is bad, but in this very special case, where we do something irreperable, I think it is preferable to write the action directly into the button. What do you think? > It would probably be better to make "Warning:" lowercase and boldface, but I'm > not sure if you can do that here. You can use boldface. However, I think it can't be mixed within the same text, you'd have to use two separate labels / text items in the dialog, and they can't be within the same paragraph. (Although I haven't tried yet) > What happens after you click Yes and the password for the selected token is > reset? Preferably, the Set Master Password dialog immediately appears, with the > appropriate token selected, and you set a brand new password without having to > specify the old one. Or, you return to the Master Passwords prefs panel, in > which case you need to click Change Password and (if there's a choice) select > the correct token. I hope it's the former. The latter may confuse some users. Currently, it is the latter. I didn't want to force the users go to the new password dialog, but if you think that is more logical, we can use the former. Do you think we should let the user know, using an intermediate message, why this dialog comes up? The user says "reset" and now we say "enter password". Isn't that confusing? And I tend to agree with Sean: Let's add the "are you really really sure" dialog, even if this means another dialog. Our users will be thankful.
Reporter | ||
Comment 28•23 years ago
|
||
> Or, you return to the Master Passwords prefs panel, in > which case you need to click Change Password and (if there's a choice) select > the correct token. Please return to the prefs panel. I believe the next time you try to save a web password, the client will ask you to create a key3.db password. Kai, can you test that out? > Let's add the "are you really really sure" > dialog, even if this means another dialog. Our users will be thankful. Let's leave it at one warning dialog for now. There's only one extra click for deleting your entire profile, so I don't see the value in the extra click here.
Comment 29•23 years ago
|
||
I like Kai's relabeling of the buttons, except that I think it should be "Reset & Erase" to match the order in the preceding question, and the fact that this is the "Reset Master Password" dialog. So the buttons should look like this: [[ Cancel ]] [ Reset & Erase ] [ Help ] I agree with Lord that we should return to the prefs panel. As Kai points out there is potential confusion if you go straight to the set password dialog. Hopefully Lord is right and you will get prompted to set the new master password the next time it's needed, as is the case for a new profile with encryption turned on. I also accept that the second dialog may be overkill.
Assignee | ||
Comment 30•23 years ago
|
||
> Please return to the prefs panel. I believe the next time you try to save a web > password, the client will ask you to create a key3.db password. Kai, can you > test that out? I think that will happen, but I will test. > Let's leave it at one warning dialog for now. There's only one extra click for > deleting your entire profile, so I don't see the value in the extra click here. Ok, this argument is convincing. Another question: Should we wait with checking this new feature in util bug 97614 has been fixed, i.e. should this one be dependent on 97614? If PK11_ResetToken really caused trouble inside the cert database, the users would have a hard time (as we can't repair the database), and they would have to manually erase the cert databases anyway, so this new feature wouldn't help them much.
Reporter | ||
Comment 31•23 years ago
|
||
Netscape 6.1 Problem Primary Browser: ntsc61 Operating System: Win98 Language: German Issue Summary: Masterkennwort ist schon installieren Component: Security Doing What: Changing preferences Severity: SomethingDidNotWorkRight Can Reproduce: Always Try this URL: http:// Issue Detail: Masterkennwort ist schon installieren Masterkennwort kann nicht geändert werden, da ich das Passwort nicht kenne. Ich habe keines installiert? Löschen kann man es auch nicht. Babel Fish sez: Master password is already installs master password cannot not be modified, since I do not know the password. I installed none? To delete one cannot do it also.
Reporter | ||
Comment 32•23 years ago
|
||
Netscape 6.1 Problem Primary Browser: ie55 Operating System: Win98 Language: English Issue Summary: Problem setting master password in security. Always displays-Incorrect password Component: Security Doing What: Changing preferences Severity: SomethingDidNotWorkRight Can Reproduce: Always Try this URL: http:// Issue Detail: Downloaded and installed Netscape 6.1 on a Pentium II 450MHZ computer 256K memory, Windows 98 with Internet Explorer 5.5 as primary browser. Wanted to set some preferences so website passwords would be remembered in Netscape 6.1. For some reason 6.1 was asking me for a master password. When I entered Password Manager for the first time to set my master password - no matter what I typed for the new password and retyped, I always received - "Incorrect password entered". So I cannot set a master password. Just for your info the popup window to change master password dosen't display properly on my monitor. The right side of the window cuts off abour 1/3 of the info in the box and I have to resize it to see all the text in the set password window.
Assignee | ||
Comment 33•23 years ago
|
||
I'm sorry to say, but I found another crasher in combination with the reset functionality. Certificate databases are instable once the reset feature has been called. I therefore make this bug dependent on bug 97614. I'll add more descriptions there.
Assignee | ||
Comment 34•23 years ago
|
||
Assignee | ||
Comment 35•23 years ago
|
||
Assignee | ||
Comment 36•23 years ago
|
||
Assignee | ||
Comment 37•23 years ago
|
||
Assignee | ||
Comment 38•23 years ago
|
||
Please note, the previous three attachments are screenshots.
Updated•23 years ago
|
Whiteboard: PDT
Comment 41•23 years ago
|
||
Comment 42•23 years ago
|
||
Comment 43•23 years ago
|
||
Assignee | ||
Comment 44•23 years ago
|
||
As this code is only used for resetting the password of the internal token, we remove the line showing "Software Security Device" from the warning dialog. Attaching new patch.
Assignee | ||
Comment 45•23 years ago
|
||
Comment 46•23 years ago
|
||
Adding Paul Hangas, German Bauer, Michele Carlson to the cc list. We request that these UI changes be approved. Please review the examples of customer feedback regarding the problem this patch fixes. We have fixes for bug 97614 (we just need to move the NSS tag used by the client. Note that Kai's latest patch changes the reset password dialog just a bit by removing the "Security Device: software security device" line in the dialog. This is not needed.
Comment 47•23 years ago
|
||
I would hope that the following problems are fixed before this is checked in to the trunk. 1. Make sure that the additions to the the prefs panel fit completely (including the bottom of the group box) in Modern, Windows Classic, and Mac Classic. This is (to use Ben Goodger's words) `a non-optional requirement'. 2. Remove the capitalized `WARNING:' and boldness from the text. Communicating danger is the role of the /!\ icon, not the text. Compare with the alert for formatting your hard disk on Windows or Mac OS, neither of which resort to boldness or capitalization. 3. Shorten the text in the confirmation alert to two sentences or fewer. Otherwise people won't bother reading it, which could be dangerous. I suggest: +---------------------------------------------------+ |:::::::::::::::::::::::::::::::::::::::::::::::::::| +---------------------------------------------------+ | . If you reset your master password, all your | | /!\ stored Web and e-mail passwords, form data, | | """ personal certificates, and private keys | | will be forgotten. Are you sure you want to | | do this? | | | | [?] (( Cancel )) ( Reset ) | +---------------------------------------------------+ 4. Use the appropriate overlay so that the buttons in the confirmation alert are the correct order on each platform. Otherwise users could easily click the wrong button by mistake, which would be dangerous. Ask Håkan if you need help here. Windows: [ Reset ] [[ Cancel ]] [ Help ] Mac OS: [?] (( Cancel )) ( Reset ) 5. Fix the `Your password has been reset' alert so that it uses the (i) note icon rather than the /!\ danger icon.
Updated•23 years ago
|
OS: other → All
Hardware: PC → All
Comment 48•23 years ago
|
||
I agree with mpt's proposed rewording for the warning alert. The boldface etc. is overkill, his version is clear and concise.
Comment 49•23 years ago
|
||
r=ddrinan.
Assignee | ||
Comment 50•23 years ago
|
||
mpt: Thanks a lot for your comment. It makes sense, but I can't implement this quickly. I need to get this feature checked in to the branch until Monday. While I would be able to fix your points 1 (by shortening the text), 2 and 3, I might not be able to fix 4 and 5 until then. My understanding is, the overlays don't support changing the text yet, but we want the text "Reset" inside the OK button instead. And 5 would require writing a separate XUL, as the standard prompt service doesn't support the info icon yet. Or we'd required to change the prompt service, but I guess this won't be accepted for the branch?
Assignee | ||
Comment 51•23 years ago
|
||
Hmm, I'm wrong with 4, the text can be changed from the onLoad function. Ok, should I try to get these changes implemented, or can the patch be accepted as it is?
Comment 52•23 years ago
|
||
Reviewers: The purpose of this bug is to provide a way for the end-user customer to reset their master password without having to create a new profile. This feature is not used frequently, but it's extremely important for the usability of the product. I do understand that many improvements can be made to the specfic UI elements Kai has come up with, but we need to keep in mind the original purpose of this bug which is to *provide a way to reset one's master password*, and to provide it within a reasonable timeframe. If any of the UI problems that the current implementation has make it impossible or unduly difficult for a user to *reset one's master password* then by all means we should fix these. Otherwise it is reasonable to get this feature in (with any easy improvements we can squeeze in), and then open new bugs for issues that we can't possible get in in a reasonable time frame.
Comment 53•23 years ago
|
||
Suggestion for the text under "Reset Master Password" in the preferences overlay (to lose a line and fit better with other themes): --------- If you have forgotten your master password, you can reset it. When you reset your master password, all your stored web and e-mail passwords, form data, personal certificates, and private keys will be erased. --------- Note lowercase for "web." Although Web may be preferable, "web" lowercase appears several other places in the preferences, and at this point I think it's better to be consistent within the local context, get the new feature checked in, and fix the capitalization globally (if Web is in fact preferred) later. So I'd recommend lowercase "web" for mpt's warning text, as well.
Assignee | ||
Comment 54•23 years ago
|
||
I wonder if we should make it even shorter. What about no longer using two separate paragraphes, and removing what is repeated in the second paragraph? We could write: ------------------ If you have forgotten your master password, you can reset it. This will erase your stored web and e-mail passwords, form data, personal certificates and private keys. ------------------ Is this still ok? And regarding the help topic: I changed the implementation to use the default help buttons, and this currently opens the following URL: chrome://help/locale/passwords_help.html#Reset_Master_Password Could we move your new help texts there, or should I try to change it to the URL we discussed?
Comment 55•23 years ago
|
||
I prefer the two paragraphs, and repetition, because I think it's a bit clearer. The antecedent of "this" is not necessarily obvious in your version. Also keeping the line about forgetting your password as a separate paragraph helps to emphasize that circumstance, since it's the only reason most people would want to do this. But these are nits--go ahead with your change if my revised text still won't fit in some circumstances (but if you do, add a series comma after "personal certificates"). Re the help button for the warning dialog, this is based on the target you gave me ("?reset_pwd"), which I checked into help.js yesterday. The URL chrome://help/locale/passwords_help.html#Reset_Master_Password is correct, and the help button is doing what it should do. I just haven't added the heading, tag, and text to passwords_help.html yet. I'll add the new text to the trunk today, since it sounds like you're about to land there. I'll wait until we know you can get onto the branch before adding it there. I am being cautious because I don't want help to end up describing a feature that isn't really present.
Assignee | ||
Comment 56•23 years ago
|
||
Well, mpt said, we should try to use a minimum of text, that's one reason why I shortened it. Another one is, English is a rather short language, and I wanted to have some additional space left for the other languages. If you dislike "This will...", another suggestion closer to yours: We could just leave out "When you reset your master password" and write "All your stored web and e-mail passwords, form data, personal certificates, and private keys will be erased." keeping the two separate paragraphs. I will add the comma as you suggested. I thought you made an error when you wrote "certificates, and" because in the german language we never use a comma in front of the word "and". I thought this rule would apply to the english language, too. Re the help button: Ok, and I finally found out how I can call the help topic we talked about, so were are in sync. Will attach new patch and screenshots now.
Assignee | ||
Comment 57•23 years ago
|
||
Assignee | ||
Comment 58•23 years ago
|
||
Assignee | ||
Comment 59•23 years ago
|
||
Assignee | ||
Comment 60•23 years ago
|
||
Assignee | ||
Comment 61•23 years ago
|
||
Assignee | ||
Comment 62•23 years ago
|
||
Assignee | ||
Comment 63•23 years ago
|
||
Comment 64•23 years ago
|
||
strres.js should not be used anymore, please use its <stringbundle/> equivalent. Why do you have to roll your own alert like that? Why can't you use CommonDialog.xul? If I was in a conversation with you and I said "Are you sure you want to do this?", would your answer be "Reset" or "Cancel"? (I think we need to change or remove that sentence, not rename the buttons).
Assignee | ||
Comment 65•23 years ago
|
||
blakeross: - Do you know the exact code that I should use instead of strres.js? Where can I find it? - I roll my own dialog, because I don't know CommonDialog.xul yet. - Please make a constructive suggestion for a better text.
Comment 66•23 years ago
|
||
r=ddrinan.
Comment 67•23 years ago
|
||
The final design looks good to me.
Comment 68•23 years ago
|
||
german: are you really approving a dialog which asks the question: "Are you sure you want to do this?" and gives you the possible answers: [Reset] [Cancel] [Help] ? Blake is right. A good option would be to remove the last sentence. Gerv
Comment 69•23 years ago
|
||
I'm not so sure that removing the last sentence is a good idea. (This wording was proposed by mpt, if that makes any difference). Is clicking "Reset" in a dialog labeled "Reset Master Password" really so confusing? If the sentence causes people to pause a bit and think about what they're doing, that's what we want. Resetting the master password is a last-resort solution that should not be clicked through in a hurry. With or without the sentence, let's get this thing checked in and worry about the details later. No reset password button is much, much worse than a reset password button that people have to stop and think about using.
Comment 70•23 years ago
|
||
Having saluted the "Why Wait for Spring, Do It Now" flag, it occurs to me that "Are you sure you want to reset your master password?" might be a better alternative for the last sentence. Repetitive, but it shouldn't add any lines and it's clearer.
Assignee | ||
Comment 71•23 years ago
|
||
New Patch. Changes are: - <stringbundle> is now used instead of strres.js - Sean's text for the final question in the alert prompter being used. I talked with blake. It is not possible to use the nsIPromptService and the info icon as he suggested, as currently help buttons and the info icon are not supported, therefore we keep the current code. Blake suggested to use the overlay <keyset id="dialogKeys". However, this would change our intended behaviour. We explicitly wanted the default action in the dialog to be cancel. That's the reason why the cancel button is indicated as the default button in the dialog. We can't use this overlay if we want this special behaviour. I assume we don't want the user to erase everything by simply pressing enter, or do we? Let me know, if updated screenshots are required.
Assignee | ||
Comment 72•23 years ago
|
||
Comment 73•23 years ago
|
||
sr=blake
Assignee | ||
Comment 74•23 years ago
|
||
Patch checked in to trunk, closing bug.
Status: ASSIGNED → RESOLVED
Closed: 23 years ago
Resolution: --- → FIXED
Reporter | ||
Comment 75•23 years ago
|
||
Assignee | ||
Comment 76•23 years ago
|
||
Bob, thanks for reporting. This "missing label" was introduced by a last minute fix which I checked in as suggested by jag on IRC, as my original code was considered to use an obsolete XUL tag. When I checked this in, we introduced the new problem. I tested the new fix, it works, and already checked it in.
Comment 77•23 years ago
|
||
Reopening. This is on the trunk but needs to be on the branch as well. marking nsbranch+
Reporter | ||
Comment 78•23 years ago
|
||
Netscape 6.1 Problem Primary Browser: ntsc61 Operating System: Win98 Language: English Issue Summary: Master Password Component: Security Doing What: Other Trying to set up a master password Severity: SomethingDidNotWorkRight Can Reproduce: Always Try this URL: http:// Issue Detail: When I attempt to set a master password - since there is no previous password - I simply enter the password in the 'new' area and in the 'confirm' area. I get kicked with a 'incorrect password entered' message. Since there was no previous password there can not be an incorrect one entered and since I'm entering the password from the clipboard the two entried are identical. How do you enter that first password??? TIA
Reporter | ||
Comment 79•23 years ago
|
||
Netscape 6.1 Problem Primary Browser: ntsc4x Operating System: Win98 Language: English Issue Summary: Master password. Have no idea what it is. Component: Security Doing What: Changing preferences Severity: SomethingDidNotWorkRight Can Reproduce: Always Try this URL: http:// Issue Detail: It wants a master password and I have no idea what it is. I didn't set it up. Can't change it . Book states use preferences/Privacy and security, choose password manager. There is no password manager under privacy and security. Think I will go back to 4.77
Comment 80•23 years ago
|
||
PDT+ per bug discussion
Whiteboard: PDT, on trunk, waiting for 0.9.4 check in → PDT+, on trunk, waiting for 0.9.4 check in
Assignee | ||
Comment 81•23 years ago
|
||
Patch checked in to 094 branch, closing bug.
Status: REOPENED → RESOLVED
Closed: 23 years ago → 23 years ago
Resolution: --- → FIXED
Comment 82•23 years ago
|
||
Verified 20010917 build
Comment 83•23 years ago
|
||
Marking VERIFIED as per Lakshmi Gopal's (QA engineer) comment.
Status: RESOLVED → VERIFIED
Updated•8 years ago
|
Product: Core → Core Graveyard
You need to log in
before you can comment on or make changes to this bug.
Description
•