On 10/10/2013 11:22, Michael Lefevre wrote:
Master password. The UI is prone to phishing, it causes all sorts of
problems because of how we use the log in to the NSS database to
implement it, it causes annoying UX for the people that use it, the
cryptography used is useless (bing FireMaster), there's hardly any
resources to do anything to actually fix any of these problems other
than remove it, and it slows down progress on important security
features.
I wouldn't disagree with any of the other reasons, but could you clarify
what you mean when you say the cryptography is useless? FireMaster
seems to just brute force passwords. Are you just saying that any
cryptography that relies on a password is useless, or that something is
more broken than that?
There's been a fairly long discussion regarding the use of the master
password in bug 309807 [Integrate Password Manager with Gnome Keyring
Manager]. That didn't really reach a conclusion except for the fact that
the current password manager could probably use some improvements in
general; somebody even suggested to replace it entirely with the system
key-ring where available.
From my POV I'd like to see the master-password go because it's clunky
and doesn't really offer much protection but I'd also like to see
something more secure and more modern take its place. Secure and easily
accessible password storage is a sorely missing feature IMHO.
Gabriele
_______________________________________________
dev-platform mailing list
dev-platform@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-platform
