cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 

"Password Required" window - security risk

laugh
Making moves

I'm using Firefox on Windows 10.

The Primary Password entry window is a generic OS dialog box that seems to be easy to mimic by malware. It is possible to verify that this is the authentic window by its being modal in Firefox, but it is not something I would normally do, unless I'm suspicious already.

When a password is entered, the visible indication is plain "bullets" in the dialog, and when it's submitted there is no feedback in Firefox. The window pops again (without limit) when the password is wrong, but it just disappears when it's correct. It makes it easy for  malware to phish passwords - the malicious window can disappear and let the user think they entered the password into Firefox (which has the same behavior). Or switch to the actual Firefox window and have the user assume the first attempt was incorrect.

Since the Primary Password grants access to one's life, it should be made more phish proof.

Some software environments use a graphic created by some secure method from the entered password, so that the user can verify that the window is authentic by the behavior of that graphic. Or maybe there are other methods?

Primary Password dialog.png

2 REPLIES 2

laugh
Making moves
 

Serg
Employee
Employee

@laugh  thank you for bringing this up! Indeed Primary Password prompt is a bit dated and in need of an improvement. I especially like the idea to let user choose some custom picture that phishing sites would not be able to mimic. Feel free to file a bug for that here or let me do that in a little while.