Opened 4 years ago

Last modified 9 months ago

#13510 new defect

Master password can't be changed from default

Reported by: User11 Owned by: tbb-team
Priority: Medium Milestone:
Component: Applications/Tor Browser Version:
Severity: Normal Keywords: tbb-usability
Cc: xtrac, gk, patrick@…, he7d3r, etienne Actual Points:
Parent ID: Points:
Reviewer: Sponsor:

Description

Starting TorBrowser 3.6.6 (also in 4.0), the master password can't be set.

I trying to set the master password (the current setting indicates as "not set"), yet it not allowing me to set one, by popping the following message: "Unable to change Master Password".

Child Tickets

Change History (14)

comment:1 Changed 4 years ago by rl1987

Component: - Select a componentTor Browser
Owner: set to tbb-team

comment:2 Changed 4 years ago by gk

Cc: xtrac added

#15847 is a duplicate.

comment:3 Changed 4 years ago by gk

Cc: gk added
Keywords: tbb-usability added

Almost certainly a fallout of fixing #12998.

comment:4 Changed 3 years ago by PZajda

Cc: patrick@… added

Hi,

I am blind and use Webvisum (www.webvisum.com) to solve captcha.
This module use Firefox passwords reccording functionality to allow automatic login, so each time I start Tor Browser, I have the same problem because it seems to be impossible to record passwords without setting a master password.
So it is impossible to change password and it is even impossible to initialize it.
I think it is for security reason we have to set a password, or is it a bug? With Firefox, setting a master password is optional, that's why I ask.
If yes, should I open another ticket or it is the same?

Thanks.

comment:5 Changed 3 years ago by cypherpunks

I think this problem is about private browsing mode used by browser. If private browsing mode enabled then password manager can't to keep passwords by design (?), and master password is about protecting password manager. So this bug is about confuse UX. Use a master password option should be disallowed (greyed) as well if private browsing mode activated.

@PZajda, could you test webvisum's module for Tor Browser with disabled private browsing mode? It's about Torbutton's preferences at "Privacy and Security Settings", "Don't record browsing history or website data (enables Private Browsing Mode)" (uncheck it and restart browser). Not sure if anyone could to recommend to use such config for every day, it need some another hacks to keep passwords while private browsing mode enabled.

comment:6 in reply to:  5 Changed 3 years ago by PZajda

Replying to cypherpunks:

@PZajda, could you test webvisum's module for Tor Browser with disabled private browsing mode? It's about Torbutton's preferences at "Privacy and Security Settings", "Don't record browsing history or website data (enables Private Browsing Mode)" (uncheck it and restart browser). Not sure if anyone could to recommend to use such config for every day, it need some another hacks to keep passwords while private browsing mode enabled.

Thanks for your reply. I've just tested following your instructions and when is disable private browsing, I can use Webvisum's module.

Last edited 3 years ago by PZajda (previous) (diff)

comment:7 Changed 3 years ago by PZajda

Hi,

Behavior has changed a little bit with Tor Browser 5.0 and 5.0.1:
Now I haven't error at all, but nothing happens if I try to to log me in with Webvisum. I am not logged in, Tor Browser doesn't ask me to set the master password.
But if I try to set a master password in Firefox settings dialog, I still have the same error message displaying I cannot set a master password as I had before Tor Browser 5.0.

Last edited 3 years ago by PZajda (previous) (diff)

comment:8 in reply to:  5 Changed 3 years ago by cypherpunks

Replying to cypherpunks:

I think this problem is about private browsing mode used by browser. If private browsing mode enabled then password manager can't to keep passwords by design (?), and master password is about protecting password manager. So this bug is about confuse UX. Use a master password option should be disallowed (greyed) as well if private browsing mode activated.

Even if it's confuse UX, vanilla Firefox allows to set/change master password while in PBM, and allows to get already saved passwords. Torbrowser breaks everything about password stuff while in PBM, browser just generate exception for nsILoginManager.

It's real Torbrowser (5.0 with ESR-38) bug.

comment:9 in reply to:  3 ; Changed 3 years ago by cypherpunks

Replying to gk:

Almost certainly a fallout of fixing #12998.

If to set securty.nocertdb pref to false then password manager works as it should be.

comment:10 in reply to:  9 Changed 3 years ago by PZajda

Replying to cypherpunks:

If to set securty.nocertdb pref to false then password manager works as it should be.

Confirmed, I set security.nocertdb to false and I can use webvisum again.
I'll let security.nocertdb configured to false until there is a fix for this issue unless others tests could be necessary to help solving this, I am available if needed.
Thanks cypherpunks for this information!

comment:11 Changed 3 years ago by he7d3r

Cc: he7d3r added
Severity: Normal
Summary: Master password can't be changeMaster password can't be changed from default

comment:12 Changed 9 months ago by gk

Cc: etienne added

#25606 is a duplicate.

comment:13 Changed 9 months ago by etienne

Please consider tackling this bug, it's an important/basic security feature !

This bug was opened 3 years ago ....

Unfortunately I can't help, I don't have skills to help.

comment:14 Changed 9 months ago by etienne

Where is that security.nocertdb ?

I can't find it in about:config

Note: See TracTickets for help on using tickets.