As it is, Firefox remember the primary password as long as the software is open and the computer not shut down. This is a very serious security risk!
Firefox should forget the primary password after a certain period of time (timeout), even when running continuously.
At least Firefox should forget the password after the session is suspended or locked.
Could you please add this feature in your next release.
Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.
I have voted for this idea BUT with the caveat that the timeout period be user-configurable in the settings, not fixed. For users not using a password to get into Firefox, it is a non-issue. If someone is using a Firefox password, then they should get to choose how long Firefox will remember the password and keep them logged in after non-use begins. Accepting 0 to indicate 'Never forget my password', and a positive integer to indicate a number of minutes to wait after non-use begins before forgetting the password, should suffice. I suppose that accepting hours and minutes might satisfy some use-cases.
Consideration should also be given to exactly what conditions constitute 'non-use' for timeout. Keyboard/mouse/other-input-devices alone? Network activity? Media playing? (For instance, one can readily watch a show or movie for hours without touching the computer if there's no need to rewind or pause.)
Consideration should also be given to exactly what happens when the password is forgotten. Nothing beyond forgetting the password, such that the net time it is needed, the user will be prompted for it? Will the browser also lock when the password is forgotten? Websites logged out? Ummm, anything else? Which things deserve options presented to the user in settings?
That's about it for what I can think of off the top of my head. So I'm unchecking 'Email me when someone replies, rather than following this issue. I can't think of questions anyone might have for me. 🙂
It'd definitely would be good to allow for expiration of master password. Even if it's buried in about:config (but setting it alongside the config for master password would be nice).
GPG agent, for instance, has both a timeout (that can be extended to a hard limit set by the user), and locks itself whenever the session lock (which can be when the computer enters suspend for instance).
There used to be an extension to do that, I was looking for it and that's how I ended up finding this proposal.
This is an essential feature for me. I would really like to see it implemented in the near future. Thank you.
This is a must for me and my family! Please, Mozilla, do implement this feature.
In my case, using Firefox (Linux) for my home family PC, I frequently have to share my Linux and Firefox session with the rest of the family (school kids), even for very short periods, doing so my kids have all my passwords available (Internet router, Parental Control, Xbox, ecc.)
Thank you very much.