Password Manager changes

Last week there were quite a few meetings being held to refine the Firefox 3 product requirements. One area of particular interest to me, identity and password management, is firming up nicely. There are a lot of interesting features people have been asking for, and the Password Manager will need some significant changes to support them.

I’ve already been working on the first phase of updating Password Manager. The code is being reworked to be more modular and cleaner — as well as being converted from C++ to Javascript. Although this creates a framework for new features, the end goal for this first phase is simply parity with the existing implementation.

Once that’s done, it should be easy to bolt on some new backends for password storage. For example, integration with the OS X Keychain, and moving Mozilla’s own storage from a text file (signons.txt) to MozStorage. Also, extension developers would now be able to deliver their own backends without hacking on Password Manager.

As for other new features, it depends on how the product requirements shape up to see how things are prioritized. A quick summary of items currently under consideration:

* UI improvements to password management, entry, and use.
* Investigate what the browser’s role might be in an OpenID or CardSpace system.
* Improving the security of password-based authentication

And, of course, fixing some of the existing password manager bugs!

7 thoughts on “Password Manager changes”

  1. I think “Keychain” and “OpenID or CardSpace” are the key words in this post.

    Hopefully at a minimum Firefox 3.0 for Mac won’t ship without Keychain. IMHO it’s a big win for the platform to properly integrate.

    This is a giant step forward. Hopefully we’ll see some great uses of the new framework.

  2. Ludovic:

    The shift to JavaScript is part of a general theme to use JS for browser components (when suitable). Security is one big reason — there are no buffer overflows in JS code.

    It also simplifies the code. The Password Manager has a log of interaction with the DOM, which means lots of XPCOM overhead with C++.

    For example:

    nsPasswordManager::FillDocument(nsIDOMDocument* aDomDoc)
    nsCOMPtr<nsIDOMHTMLDocument> htmlDoc = do_QueryInterface(aDomDoc);

    nsCOMPtr<nsIDOMHTMLCollection> forms;

    nsCOMPtr<nsIDocument> doc = do_QueryInterface(aDomDoc);

    nsCAutoString realm;
    if (!GetPasswordRealm(doc->GetDocumentURI(), realm))
    return NS_OK;

    In JS, this might look more like:

    FillDocument : function (doc) {
    var forms = document.forms;
    var realm = GetPasswordRealm(document.location);
    if (!realm) throw “Oops”

  3. Slawa: As part of the Password Manager work leading up to Firefox 3, I’ll be looking at trying to clear some of the backlog of existing bugs. I haven’t evaluated those two specific bugs yet, though.

  4. Hello, I would like to be able to export passwords and logins to other computers I work on several computers and would like to have the same logins and password auto login ability on each computer. I have to login to some sites and it never ask me to save the logins so I have to retype all the time. it would be nice to move the file form cpu to cpu


    C J

Comments are closed.