Toolkit:Password Manager

From MozillaWiki
Revision as of 23:20, 8 December 2004 by Ben (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigation Jump to search

Goals

  • improve the experience for existing password manager users
  • make it easier to migrate passwords to Firefox from other browsers.

Firefox Storage

Firefox stores passwords with this metadata:

domain usernamefield passwordfield username password

Then uses the usernamefield/passwordfield values as hints to find the appropriate <input> elements within a webpage by matching them to the "name" attribute.

Unfortunately this means that when a website redesigns and changes the un/pw field names, the effect on the end user is that the password is "forgotten".

As a backup, when usernamefield/passwordfield fail to match, Password Manager should attempt to discover the password field manually, using a technique similar to what Camino uses.

This is needed for another reason - passwords stored by other browsers such as Camino and Safari are stored in the KeyChain WITHOUT username/password field hints - so un/pw field discovery must be manual.

MacOS X Integration

MacOS X provides an application called Keychain Services which manages passwords for all applications including web browsers. It provides default encryption of the passwords using the user's login password, locks and unlocks the chain per application etc. Basically everything we've had to re-implement for our password manager (including Master Password etc).

We should transition to using Keychain Sevices as the "out of the box" back end for storing passwords. This will allow users transitioning from Safari and Camino to bring across their site passwords in addition to their Bookmarks, Preferences and other data for the optimal user experience.

We should retain the existing back end in code for Windows and Linux, and for MacOS X 1.0 users who have established password collections. We need some heuristic for detecting whether or not Firefox is the default browser, has an established password collection etc so we can determine which back end to use.

We might also offer a hidden pref to let users toggle between the two in case the heuristic breaks down.

The integration is very simple - where we retrieve password data from our password store now, we alternate on some preference value ("use keychain") - if not, use the old way, if so, call SecKeychainFindInternetPassword to get the value.

Retrieved from "https://wiki.allizom.org/index.php?title=Toolkit:Password_Manager&oldid=124"