As I’ve previously blogged about, I’ve been working on some changes to the Firefox Password Manager. The first part, a long slog of untangling and porting the old C++ code to JS, is now complete.
The code landed earlier this month via bug 374723, and as part of the change it’s been renamed to “Login Manager”. This work was all backend work, so there are no user-visible features yet… That part comes next. And did I mention test cases? There are now automated test cases! Double-plus yay!
These changes should now make it much easier to write a component integrating Login Manager with the OS X Keychain (or the Gnome Keychain, or whatever). Basically, the code just has to implement the nsILoginManagerStorage interface and add some glue to make the Login Manager use it. Unfortunately this isn’t a high-priority item at the moment, but if anyone in the community wants to pick up the torch I’d be happy to help with the integration. There’s already some code in Camino for Keychain, although I don’t know what state it’s in.
Finally, the new Login Manager has one downside… The interfaces for using it have changed, so extensions that might have been using the old interfaces will need to be updated to use the new ones instead. But the interfaces are documented, and there’s a usage writeup on DevMo. There may be some more minor API tuneups before FF3 is released, but I’m not expecting anything major.
Dolske's blog 
Nice work. I know this won’t happen, but if by chance the OS X Keychain stuff (or Gnome, or whatever) still isn’t done in September, please let me know and I’ll happily throw some students on it when my Mozilla course gets going again.
your awesom!!1!
Awesome show, good job!
The password manage is now written in JavaScript?! that really doesn’t make me feel happy about using it to store my passwords in.
I’d have been much happier if the back-end code to manage passwords was based on something like keepass with just a different UI to drive it.
What security measures are in place for this? How do you verify that the passwords are secure?
Please add a feature to ignore the authentication domain and to choose the username/password by URL prefix. That will allow users to work around braindead systems that intentionally change the domain each time.
I downloaded FF3 Alpha5 and before I can do anything it’s asking for a master password. What is it or where can I get it. I’ve tried entering a password of myown, I entered “mozilla” and nothing happens. Please help. Thank you for your time and attention.
Jack Manger
@Andy,
the fact that the manager is written in JavaScript does nothing to weaken the security. Passwords are stored somewhere, it’s _how_ they are stored that should make it safe. If you store them unaltered in a text file on the desktop, even if you use C++ to do it, it’s not secure.
(Almost) same prob as Jack. Everytime I restart FF3a5, it asks me to enter master password, while none of my homepages require an auto-fill. It doesn’t let me get through without entering the right password.
This is great.
Andy:
The JS portions mostly handle DOM interaction and file IO for signons2.txt. The two main reasons for switching to JS are simpler code and increased security (eg, no buffer overflows possible). Most of the Firefox frontend is already JS, so this isn’t exactly a radical change. But, in any case, the actual encryption of logins continues to be done be a C++ component (using Triple-DES).
Jack:
Yes, that’s a known bug in Alpha 5. I’m fixing a number of issues involving the usability of master passwords for A6.
(About http://blog.mozilla.org/dolske/2007/05/28/followup-password-manager-changes-coming-in-ff3-alpha-5/#comment-14118)
While C++ doesn’t make passwords safe automatically, a language like JavaScript that does garbage collecting, may leave passwords somewhere in memory even after they are “safely” stored elsewhere. Security-aware code like that in PGP takes great care to destroy the passwords in RAM once they are no longer needed.
I’ve finished taking the already good documentation for nsILoginManager and nsILoginInfo and turning them into our standard format for interface docs. I still need to give the example a once-over to clean up some style stuff there, but I’d appreciate any comments or tweaks to the interface docs:
http://developer.mozilla.org/en/docs/nsILoginInfo
http://developer.mozilla.org/en/docs/Using_nsILoginManager
I’m having the same problem as replies 6 and 8. Seems to require password for the first site you visit regardless of need.
Kind of freaked me out for a while, trojan was the first thing on my mind. Being an alpha not intended for general use and the fact I’m too paranoid for my own good mitigates the issue though. Good to have it confirmed as a bug and I hope it has no impact on actual security.
It Fly’s on a 8 core Mac Pro only 2gigs of ram!
With the old password manager (nsIPasswordManager) the Master Password had only been required if the username or password had to be accessed. This way you could collect existing password objects and display the number of login possibilities to the user without requiring the Master Password.
This is very useful for the Secure Login extenions, e.g.:
https://addons.mozilla.org/de/firefox/addon/4429
With the new login manager (nsILoginManager), you have to enter the Master Password as soon as the findLogins method is called.
I think it’s a security enhancements not to ask for the Master Password until the login credentials are filled in.
This would also affect the standard password autofill of Firefox Password Manager, e.g. for more than one saved user+pass combination.
thats brilliant good stuff