cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Password Generation in Firefox

Serg
Employee
Employee

Hello all!

Firefox Credential Management team is excited to hear your thoughts and opinions. Let's talk about Password Generation.

Do you use this feature? What stops you from using it? Do you need more control over the password generator, like the ability to specify password length or which characters it must have? Would you like to have an option to generate a passphrase - a few word sequence that you can remember?

We will be checking this thread for the next two weeks to gather your thoughts!

19 REPLIES 19

Pedro
Making moves

Hi @Serg,

Password generation is one of the most important things to consider in a password manager. Having control over it would improve the experience because:

  1. There are websites with "strange" requirements regarding passwords
  2. Sometimes you want a simpler password without special characters, Caps, etc.
  3. And sometimes you want a much stronger password. It depends on the website/purpose

Having the option to generate a passphrase is a nice addition which is not seen in other browsers. But it would be kinda tricky to make it unique across users because I would see people picking the same thing. It would need to be truly random across users. Maybe with a nice randomized pop-up selection and a very big dictionary?

And please, I know that this is a bit off-topic, but could you add Two-Factor Authentication? It would be a feature that is only found on a couple of paid password managers and would definitely bring users to Firefox, as well as making it compatible with other browsers and securing accounts more easily.

Thanks for all the work you do!

Hi @Pedro, thank you for sharing your thoughts!

We definitely like the idea to give users more control over what passwords they can generate. At the same time we should set the minimum bar to be secure enough, because we can not expect every user to be an expert in cryptography.

Passphrases can be helpful for things that user must remember, for example Primary Password. But if we do them, it will be as random as a character based password.

I like 2FA suggestion, even if it's a bit off-topic 🙂 Someone already helped us and filed a bug for that.

What do you think about how many controls we should give? Single slider of password length or precise controls over how many letters/digits/special symbols must be generated?

Pedro
Making moves

It would be nice to have two sliders, one for length and one for complexity (that would slide between letters, letters + digits, letters+digits+specialsymbols). That way, you have almost all the options covered without it being too complicated for regular users. Just my two cents 🙂

I didn't think of a second slider to select what character categories to be included in generated password. It feels appealing. Thank you!

gliu20
Making moves

Hey! I use the built-in password manager, but there's a couple things that would make this a lot better:

1. Way to keep track of accounts that I use and which SSO logins provider I used. For example, if I log in to a website, it will remember that I use the `Sign in with Github` button or something. This makes it easier to avoid creating duplicate accounts if I select the wrong login provider. (personal impact: low)

2. Way to keep secrets. For example, some accounts have a recovery key that must be saved somewhere. A way to store it in the password manager would be helpful. (personal impact: med)

3. Customizing password generation characteristics to appease password requirements like what@Pedro said (personal impact: med)

4. 2FA built into the password manager like what@Pedro said (personal impact: med/high)

5. ECOSYSTEM - This might be off topic, but better integration across FF products would be great:

- Firefox Relay - flag that I have certain accounts saved in password manager. This would help prevent ppl from deleting aliases with accounts still attached to it. (personal impact: low)

- Firefox Monitor - an option to monitor all Firefox relay aliases without me having to manually copy paste in my Firefox relay aliases (personal impact: low)

Hey@gliu20 , thank you for your feedback!

1. This is an interesting idea, let me file a bug so it will not be forgotten.

2. +100

3. How much customization do you think will be good enough? I'm trying to find balance between expert user vs regular user.

4. I think that can fit nicely in your point #2 - ability to add more secrets.

5. Let me talk to Firefox Relay team, see what they feel and think about it.

1. Just curious but do u have a link to the bug? I'd like to follow the bug and possible help contribute!

Here is the link to the bug https://bugzilla.mozilla.org/show_bug.cgi?id=1761773. At this point it's not crystal clear what exactly browser should/could do and how to do it, but we can keep talking about it and figure this out.

Hello from Relay & Monitor engineering!

We are definitely looking into ecosystem integration between Firefox, Relay, Monitor, and VPN. Stay tuned!

gliu20
Making moves

3. Hmm whether to use special character and numbers, and password length. These for me are the most common reasons generated passwords aren't accepted.

Edit: +100 about what @Pedro said re: the slider

ansiklopedici
Making moves

Hello,

Thank you for developing the Firefox Lockwise. The most obvious reason why I can't use the password generation feature is that Firefox for Android doesn't have it. So i have to create my accounts in Firefox desktop. This is a situation that limits my user experience.

Hi @ansiklopedici ,

Thanks for reminding that mobile does not offer password generation. Let me find out what's blocking it and what can be done.

Guest
Making moves

I use this feature. I haven't had to make changes to the character composition or length.

A new way to generate memorable passwords would be neat. If you think using a phrase of words would be more memorable, I'm willing to try that out.

Vilasamuni
Making moves

I use the password suggestion/generation feature a lot on my computer. I would love to see it rolled out to iPhone and iOS as well.

@VilasamuniI'm glad to hear you use generated passwords to stay secure! Thank you for reminding that this is still missing on iOS, I'll bring this up with the team.

GlasierXplor
Making moves

Hi! awesome that you guys are collecting feedback. I use the password manager and have it synced using different Firefox-es on my devices for convenience. Here are some of my main feedbacks/suggestions: -

  1. (I think someone mentioned this below, but) the passwords page on both desktop and mobile should be able to generate random passwords on the fly on request, so that we can use the password on a different app when creating a password. I think we can live with manually creating a profile (username/password pair) for the app.
  2. Add a description field for password storage, and not making the URL field mandatory. If description field is added, then allow field to be searchable as well. This allows document (PDF) passwords to be stored, as well as when creating a new login on mobile for an app that does not necessarily have a URL.
  3. Password generation can be less random and, as others have mentioned, a little stronger or offer more granularity on the password strength.
    • Sometimes to type the password on another device without Firefox logged in, then the random nature of the generated password makes this a nightmare. I understand that this suggestion reduces the security, but I believe it can be compensated by lengthening the password to be longer than 15 characters and increasing the password's keyspace.
    • A format that I think makes sense (do feel free to dispute my opinion) is "<random_word_1><random_symbol><random_word_2><random_symbol><4-8_integers>", with some random capitalisation(s) in each word, and each random word longer than 5 characters (minimum length = 5 + 1 + 5 + 1 + 4 = 16 characters). This gives the password more keyspace by including symbols, and making the password much more "type-able".
    • The suggested order can also be randomised so the format is not fixed and susceptible to easy brute force. (e.g. integers first, followed by random words). This also means that the dictionary used to generate the password needs to be as vast as possible to slow down brute force attacks.

josemaldu
Making moves

I use this feature very much, I used to come up with my own passwords, but since Firefox syncs throughout devices and it's gotten so good at recognizing login attempts from mobile apps related to the a website account, I started relying on the randomly generated passwords now. A few things I'd like to see:

1. Special characters in the generated passwords. I can't remember when was the last time a random password was accepted as is, almost always I have to introduce a special character manually. That leads to two entries saved in the Password Manager for that site (original and customized).

2. Password generation on the mobile app (ideally talking to the apps as well), for the occasions when the account needs to be opened in mobile. A lot of services are mobile first now, don't even have an option to create an account on a computer.

3. Password Manager secured by fingerprint in a Mac. It's already done for credit cards, but for passwords I still need to type the master password.

Thanks!

Serg
Employee
Employee

Thanks everyone for your thoughts and feedback on password generation and other features of Credential Management!

We will take all of the information we collected here to improve our priorities and decision making process. It's great to see that people are using Password Generator. We learned that it's important to:

  • improve quality of generated passwords (include special characters, passwords that are easier to type or memorize)
  • support password generation on Android and iOS devices
  • give options to customize password generation recipes
  • provide more integration with Firefox Relay and Firefox Monitor
  • support 2FA/MFA
  • allow more fields to be saved with logins, like descriptions or labels

While I can not provide any timelines for that, I can tell you that our team will be looking into these areas. Once again, thank you for your time and effort.

Best,
Serg

Jon
Community Manager
Community Manager

Hey all,

Thanks so much for participating in this productive conversation about password generation (and more). It was great seeing so many valuable insights shared both ways! We are closing out this thread, but want to encourage you to continue sharing your feedback and ideas about this particular topic in new posts—just be sure to use the necessary labels and tags, so your posts are easily searched for and discovered by our teams.

Also, we are excited to announce that a new discussion hosted by a Mozilla employee has just kicked off and can be found here: Creating and Collaborating with Media in Firefox

This will be an ongoing series here in the Mozilla Connect community, so we look forward to continuing to collaborate with you all 😀

-The Community Team