All, I have added Password Manager functionality to the feature backlog for Firefox Accounts. While there are clearly many questions to answer, this is something that we are interested in perusing. At this point, due to a significant number of unknowns, there is no target release specified for these features.
Thanks, Adam ----- Original Message ----- From: "Ehsan Akhgari" <ehsan.akhg...@gmail.com> To: "Alive" <al...@mozilla.com>, "dev-webapi" <dev-web...@lists.mozilla.org>, dev-b2g@lists.mozilla.org, "dev-gaia" <dev-g...@lists.mozilla.org> Cc: "Paul Theriault" <ptheria...@mozilla.com> Sent: Thursday, December 5, 2013 6:28:30 PM Subject: Re: [b2g] Proposal: PasswordManager on FxOS On 12/5/2013, 3:20 AM, Alive wrote: > Hi folks, > > I'd like to have a password manager inside our operating system to store and > manage passwords you'd typed in the FxOS. > > This is an old item in my mind beyond FxOS v1.0 when I sadly found our phone > crashed when we visited mozilla phonebook. > (It had been fixed long time ago so we support HTTP authentication well now.) > > Again, think about this case: > EVERY time you visit https://phonebook.mozilla.org/, you need to retype the > password :) > Other than the case, there're tons of pages on the web having a password > field. > > Today I discussed with Paul, from security team, and be glad to know he also > loves this idea. > And what's not good is, it sounds like we are still far away from the > password manager. > > 1A. We need a stronger password for lock code. It'd be used for the key for > all your passwords. (from Paul) > 1B. We need to change the way storing lock code. No settings. > 2. We need some way to encrypt. Can we use the existing encryption facility that we use when a master password is set? > 3A. We need to store the password somewhere safely. > 3B. We need API to store the password. This API shall be only used by gaia > system app IMHO? Do we need to allow other applications to access this safe password store? I think the answer is no, and if that's the case, I'm not convinced that we need to design a general purpose API here. > Item (1A) Is a pure gaia work but some of my concern now are: > * Need UX (Hello UX ww!) > * We'd love to have a standalone lockscreen app, > and I wonder a standalone app would break the security, though this is not > in our case. > Item (2) and (3) I'm afraid I need gecko-er's chime in here. > > The password storing on desktop browser is noticed by the world due to Chrome > browser just put the plain password and you could easily see it in the > setting. We do the same, except that we let people encrypt their passwords DB using a master password, and we prompt for that when you try to access your password. I find this very fragile, and I'm not sure if we want to repeat this in Firefox OS. We should be able to solve this problem by 1) not exposing plaintext passwords anywhere in the UI, and 2) encrypting them with a master password. I'm not sure what the UX for entering that password would look like. Another thing to note is that we probably don't want to expose the password DB in the child process. All requests to access and/or modify this DB should be forwarded to the parent process. Cheers, Ehsan _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g _______________________________________________ dev-b2g mailing list dev-b2g@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-b2g