cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
pablanche
New member
Status: New idea

As it is, Firefox remember the primary password as long as the software is open and the computer not shut down. This is a very serious security risk!
Firefox should forget the primary password after a certain period of time (timeout), even when running continuously.
At least Firefox should forget the password after the session is suspended or locked.
Could you please add this feature in your next release.
Sincerely,

7 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

pootmonkey
Strollin' around

I have voted for this idea BUT with the caveat that the timeout period be user-configurable in the settings, not fixed.  For users not using a password to get into Firefox, it is a non-issue.  If someone is using a Firefox password, then they should get to choose how long Firefox will remember the password and keep them logged in after non-use begins.  Accepting 0 to indicate 'Never forget my password', and a positive integer to indicate a number of minutes to wait after non-use begins before forgetting the password, should suffice.  I suppose that accepting hours and minutes might satisfy some use-cases.

Consideration should also be given to exactly what conditions constitute 'non-use' for timeout.  Keyboard/mouse/other-input-devices alone?  Network activity?  Media playing?  (For instance, one can readily watch a show or movie for hours without touching the computer if there's no need to rewind or pause.)

Consideration should also be given to exactly what happens when the password is forgotten.  Nothing beyond forgetting the password, such that the net time it is needed, the user will be prompted for it?  Will the browser also lock when the password is forgotten?  Websites logged out?  Ummm, anything else?  Which things deserve options presented to the user in settings?

 

That's about it for what I can think of off the top of my head.  So I'm unchecking 'Email me when someone replies, rather than following this issue.  I can't think of questions anyone might have for me.  🙂

nodens
New member

It'd definitely would be good to allow for expiration of master password. Even if it's buried in about:config (but setting it alongside the config for master password would be nice).

 

GPG agent, for instance, has both a timeout (that can be extended to a hard limit set by the user), and locks itself whenever the session lock (which can be when the computer enters suspend for instance).

There used to be an extension to do that, I was looking for it and that's how I ended up finding this proposal.

wizetek
New member

This is an essential feature for me. I would really like to see it implemented in the near future. Thank you.

Hernan
New member

This is a must for me and my family! Please, Mozilla, do implement this feature.
In my case, using Firefox (Linux) for my home family PC, I frequently have to share my Linux and Firefox session with the rest of the family (school kids), even for very short periods, doing so my kids have all my passwords available (Internet router, Parental Control, Xbox, ecc.)

Thank you very much.

ETL
Making moves

This used to be the default behavior, but it was deprecated in FF version 92. I would support bringing it back as an option - in general it's always better to give users more options!

TechHorse
Making moves

Yes please add a timeout. Also a plain old option in the Tools menu to sign in / out of your primary password on demand.

I typically enter my primary password once to login to a site, and then do not need it again that session. But my logins will remain exposed from that point on, unless if I, for example, go through a lot of rigmarole involving opening the passwords manager, selecting a button to copy a password, and then entering an incorrect primary password.

It shouldn't take such a multi-step process in order to re-secure your passwords after unlocking them for a one-time use.

(You can of course also restart the browser to deactivate the primary password, but that is not always convenient. And is especially not an option if it would log you out of the site you needed the primary password to log in to in the first place)