Master password can't be changed from default

Starting TorBrowser 3.6.6 (also in 4.0), the master password can't be set.

I trying to set the master password (the current setting indicates as "not set"), yet it not allowing me to set one, by popping the following message: "Unable to change Master Password".

Trac:
Username: User11

added component::applications/tor browser owner::tbb-team priority::medium reporter::User11 severity::normal status::new tbb-usability type::defect labels

Trac:
Owner: N/A to tbb-team
Component: - Select a component to Tor Browser

#15847 (moved) is a duplicate.

Trac:
Cc: N/A to xtrac

Almost certainly a fallout of fixing #12998 (moved).

Trac:
Keywords: N/A deleted, tbb-usability added
Cc: xtrac to xtrac, gk

Hi,

I am blind and use Webvisum (www.webvisum.com) to solve captcha. This module use Firefox passwords reccording functionality to allow automatic login, so each time I start Tor Browser, I have the same problem because it seems to be impossible to record passwords without setting a master password. So it is impossible to change password and it is even impossible to initialize it. I think it is for security reason we have to set a password, or is it a bug? With Firefox, setting a master password is optional, that's why I ask. If yes, should I open another ticket or it is the same?

Thanks.

Trac:
Username: PZajda
Cc: xtrac, gk to xtrac, gk, patrick@zajda.fr

I think this problem is about private browsing mode used by browser. If private browsing mode enabled then password manager can't to keep passwords by design (?), and master password is about protecting password manager. So this bug is about confuse UX. Use a master password option should be disallowed (greyed) as well if private browsing mode activated.

@PZajda, could you test webvisum's module for Tor Browser with disabled private browsing mode? It's about Torbutton's preferences at "Privacy and Security Settings", "Don't record browsing history or website data (enables Private Browsing Mode)" (uncheck it and restart browser). Not sure if anyone could to recommend to use such config for every day, it need some another hacks to keep passwords while private browsing mode enabled.

Replying to cypherpunks:

@PZajda, could you test webvisum's module for Tor Browser with disabled private browsing mode? It's about Torbutton's preferences at "Privacy and Security Settings", "Don't record browsing history or website data (enables Private Browsing Mode)" (uncheck it and restart browser). Not sure if anyone could to recommend to use such config for every day, it need some another hacks to keep passwords while private browsing mode enabled. Thanks for your reply. I've just tested following your instructions and when is disable private browsing, I can use Webvisum's module.

Trac:
Username: PZajda

Hi,

Behavior has changed a little bit with Tor Browser 5.0 and 5.0.1: Now I haven't error at all, but nothing happens if I try to to log me in with Webvisum. I am not logged in, Tor Browser doesn't ask me to set the master password. But if I try to set a master password in Firefox settings dialog, I still have the same error message displaying I cannot set a master password as I had before Tor Browser 5.0.

Trac:
Username: PZajda

Replying to cypherpunks:

I think this problem is about private browsing mode used by browser. If private browsing mode enabled then password manager can't to keep passwords by design (?), and master password is about protecting password manager. So this bug is about confuse UX. Use a master password option should be disallowed (greyed) as well if private browsing mode activated.

Even if it's confuse UX, vanilla Firefox allows to set/change master password while in PBM, and allows to get already saved passwords. Torbrowser breaks everything about password stuff while in PBM, browser just generate exception for nsILoginManager.

It's real Torbrowser (5.0 with ESR-38) bug.

Replying to gk:

Almost certainly a fallout of fixing #12998 (moved).

If to set securty.nocertdb pref to false then password manager works as it should be.

Replying to cypherpunks:

If to set securty.nocertdb pref to false then password manager works as it should be. Confirmed, I set security.nocertdb to false and I can use webvisum again. I'll let security.nocertdb configured to false until there is a fix for this issue unless others tests could be necessary to help solving this, I am available if needed. Thanks cypherpunks for this information!

Trac:
Username: PZajda

Trac:
Username: he7d3r
Summary: Master password can't be change to Master password can't be changed from default
Cc: xtrac, gk, patrick@zajda.fr to xtrac, gk, patrick@zajda.fr, he7d3r
Severity: N/A to Normal
Sponsor: N/A to N/A

#25606 (moved) is a duplicate.

Trac:
Reviewer: N/A to N/A
Cc: xtrac, gk, patrick@zajda.fr, he7d3r to xtrac, gk, patrick@zajda.fr, he7d3r, etienne

Please consider tackling this bug, it's an important/basic security feature !

This bug was opened 3 years ago ....

Unfortunately I can't help, I don't have skills to help.

Trac:
Username: etienne

Where is that security.nocertdb ?

I can't find it in about:config

Trac:
Username: etienne

Replying to etienne:

Where is that security.nocertdb ?

I can't find it in about:config

Try this:

about:config?filter=security.nocertdb

mentioned in issue #15847 (moved)

mentioned in issue #18180 (moved)

mentioned in issue #25606 (moved)

moved to tpo/applications/tor-browser#13510 (closed)