Comments on: Followup: Password Manager changes (coming in FF3 Alpha 5)

By: DazzleCat

DazzleCat — Mon, 12 May 2008 11:06:12 +0000

thats brilliant good stuff

By: Sebastian Tschan

Sebastian Tschan — Tue, 03 Jul 2007 09:17:08 +0000

With the old password manager (nsIPasswordManager) the Master Password had only been required if the username or password had to be accessed. This way you could collect existing password objects and display the number of login possibilities to the user without requiring the Master Password.
This is very useful for the Secure Login extenions, e.g.:
https://addons.mozilla.org/de/firefox/addon/4429

With the new login manager (nsILoginManager), you have to enter the Master Password as soon as the findLogins method is called.
I think it’s a security enhancements not to ask for the Master Password until the login credentials are filled in.
This would also affect the standard password autofill of Firefox Password Manager, e.g. for more than one saved user+pass combination.

By: Thomas

Thomas — Sun, 17 Jun 2007 21:55:33 +0000

It Fly’s on a 8 core Mac Pro only 2gigs of ram!

By: Andreas

Andreas — Thu, 14 Jun 2007 22:47:45 +0000

I’m having the same problem as replies 6 and 8. Seems to require password for the first site you visit regardless of need.

Kind of freaked me out for a while, trojan was the first thing on my mind. Being an alpha not intended for general use and the fact I’m too paranoid for my own good mitigates the issue though. Good to have it confirmed as a bug and I hope it has no impact on actual security.

By: Eric Shepherd

Eric Shepherd — Wed, 13 Jun 2007 22:55:40 +0000

I’ve finished taking the already good documentation for nsILoginManager and nsILoginInfo and turning them into our standard format for interface docs. I still need to give the example a once-over to clean up some style stuff there, but I’d appreciate any comments or tweaks to the interface docs:

http://developer.mozilla.org/en/docs/nsILoginInfo

http://developer.mozilla.org/en/docs/Using_nsILoginManager

By: Ulrich

Ulrich — Tue, 12 Jun 2007 06:52:25 +0000

(About http://blog.mozilla.com/dolske/2007/05/28/followup-password-manager-changes-coming-in-ff3-alpha-5/#comment-14118)

While C++ doesn’t make passwords safe automatically, a language like JavaScript that does garbage collecting, may leave passwords somewhere in memory even after they are “safely” stored elsewhere. Security-aware code like that in PGP takes great care to destroy the passwords in RAM once they are no longer needed.

By: Justin Dolske

Justin Dolske — Mon, 11 Jun 2007 18:10:29 +0000

Andy:

The JS portions mostly handle DOM interaction and file IO for signons2.txt. The two main reasons for switching to JS are simpler code and increased security (eg, no buffer overflows possible). Most of the Firefox frontend is already JS, so this isn’t exactly a radical change. But, in any case, the actual encryption of logins continues to be done be a C++ component (using Triple-DES).

Jack:

Yes, that’s a known bug in Alpha 5. I’m fixing a number of issues involving the usability of master passwords for A6.

By: Bhanu Pratap

Bhanu Pratap — Mon, 11 Jun 2007 07:58:50 +0000

This is great.

By: Brajesh

Brajesh — Sat, 09 Jun 2007 09:09:17 +0000

(Almost) same prob as Jack. Everytime I restart FF3a5, it asks me to enter master password, while none of my homepages require an auto-fill. It doesn’t let me get through without entering the right password.

By: Mike

Mike — Sat, 09 Jun 2007 08:46:06 +0000

@Andy,

the fact that the manager is written in JavaScript does nothing to weaken the security. Passwords are stored somewhere, it’s _how_ they are stored that should make it safe. If you store them unaltered in a text file on the desktop, even if you use C++ to do it, it’s not secure.