Proposal: PasswordManager on FxOS

[Alive]

Hi folks,

I'd like to have a password manager inside our operating system to store and manage passwords you'd typed in the FxOS.

This is an old item in my mind beyond FxOS v1.0 when I sadly found our phone crashed when we visited mozilla phonebook.
(It had been fixed long time ago so we support HTTP authentication well now.)

Again, think about this case:
EVERY time you visit https://phonebook.mozilla.org/, you need to retype the password :)
Other than the case, there're tons of pages on the web having a password field.

Today I discussed with Paul, from security team, and be glad to know he also loves this idea.
And what's not good is, it sounds like we are still far away from the password manager.

1A. We need a stronger password for lock code. It'd be used for the key for all your passwords. (from Paul)
1B. We need to change the way storing lock code. No settings.
2. We need some way to encrypt.
3A. We need to store the password somewhere safely.
3B. We need API to store the password. This API shall be only used by gaia system app IMHO?

Item (1A) Is a pure gaia work but some of my concern now are:
* Need UX (Hello UX ww!)
* We'd love to have a standalone lockscreen app,
and I wonder a standalone app would break the security, though this is not in our case.
Item (2) and (3) I'm afraid I need gecko-er's chime in here.

The password storing on desktop browser is noticed by the world due to Chrome browser just put the plain password and you could easily see it in the setting.
IMO we won't want the plain password….?, and "encrypt" in gecko now is in a little ambiguous state: Which way and how to do?
I'm still very young to this area so I don't have exact idea what we shall do ;)

I believe this post is just a small step to reach what we finally want to have,
so I am appreciated if anyone stands up to push this or states any of your opinion!

Thanks for reading :)
Alive
--
Alive C. Kuo, Front-end Engineer, FirefoxOS, MoCo. Taiwan, Taipei office.
al...@mozilla.com

[Matěj Cepl]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 2013-12-05, 08:20 GMT, Alive wrote:
> I'd like to have a password manager inside our operating
> system to store and manage passwords you'd typed in the FxOS.

Glad somebody got interested in
https://bugzilla.mozilla.org/show_bug.cgi?id=877648

Matěj

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v2.0.22 (GNU/Linux)

iD8DBQFSoDq24J/vJdlkhKwRAu2hAJ42HJVdutPyC0R7O8b5UzX7NB6mDwCdFYCB
SdxmkJUlKxNQrCnJe7/6jbM=
=FL9A
-----END PGP SIGNATURE-----

[Alive]

Hey!

Might be.

AFAIK FxOS Account/Person is just one of the ways to identify the user,
but we could not force every web page uses this service right? There's still tons of ways of authentication on the internet.

For sure it does help and comfort the life of the user, so thanks for anyone working on FxOS Account!

-Alive

Natalia Martinez-Winter <nat...@mozilla.com> 於 2013/12/5 下午4:35 寫道：

> Hi,
>
> I don't know much about those services but I thought we wanted to integrate Firefox Persona and Accounts in Firefox OS. Do those services provide the equivalent "password manager" service in the end ? (in the cloud)
>
> latest status I found is here : https://wiki.mozilla.org/Identity/Department_Status/2013-11-22
>
>
> Natalia Martinez-Winter
>
> ----- Original Message -----
> From: "Alive" <al...@mozilla.com>
> To: "dev-webapi" <dev-w...@lists.mozilla.org>, dev...@lists.mozilla.org, "dev-gaia" <dev-...@lists.mozilla.org>
> Cc: "Paul Theriault" <pther...@mozilla.com>
> Sent: Thursday, 5 December, 2013 4:20:24 PM
> Subject: Proposal: PasswordManager on FxOS
>
> Hi folks,

>
> I'd like to have a password manager inside our operating system to store and manage passwords you'd typed in the FxOS.
>

> _______________________________________________
> dev-gaia mailing list
> dev-...@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-gaia

[Stephany Wilkes]

Just a few notes on whom to include here...

John Gruen is UX on FxA (Firefox Accounts).

Tauni Oxborrow and Erin Lancaster manage Identity, FxA, and Where's My Fox work.

They should all be kept in the loop on this.

S.

[Natalia Martinez-Winter]

[Ehsan Akhgari]

On 12/5/2013, 3:20 AM, Alive wrote:
> Hi folks,
>
> I'd like to have a password manager inside our operating system to store and manage passwords you'd typed in the FxOS.
>
> This is an old item in my mind beyond FxOS v1.0 when I sadly found our phone crashed when we visited mozilla phonebook.
> (It had been fixed long time ago so we support HTTP authentication well now.)
>
> Again, think about this case:
> EVERY time you visit https://phonebook.mozilla.org/, you need to retype the password :)
> Other than the case, there're tons of pages on the web having a password field.
>
> Today I discussed with Paul, from security team, and be glad to know he also loves this idea.
> And what's not good is, it sounds like we are still far away from the password manager.
>
> 1A. We need a stronger password for lock code. It'd be used for the key for all your passwords. (from Paul)
> 1B. We need to change the way storing lock code. No settings.
> 2. We need some way to encrypt.

Can we use the existing encryption facility that we use when a master
password is set?

> 3A. We need to store the password somewhere safely.
> 3B. We need API to store the password. This API shall be only used by gaia system app IMHO?

Do we need to allow other applications to access this safe password
store? I think the answer is no, and if that's the case, I'm not
convinced that we need to design a general purpose API here.

> Item (1A) Is a pure gaia work but some of my concern now are:
> * Need UX (Hello UX ww!)
> * We'd love to have a standalone lockscreen app,
> and I wonder a standalone app would break the security, though this is not in our case.
> Item (2) and (3) I'm afraid I need gecko-er's chime in here.
>
> The password storing on desktop browser is noticed by the world due to Chrome browser just put the plain password and you could easily see it in the setting.

We do the same, except that we let people encrypt their passwords DB
using a master password, and we prompt for that when you try to access
your password. I find this very fragile, and I'm not sure if we want to
repeat this in Firefox OS. We should be able to solve this problem by
1) not exposing plaintext passwords anywhere in the UI, and 2)
encrypting them with a master password. I'm not sure what the UX for
entering that password would look like.

Another thing to note is that we probably don't want to expose the
password DB in the child process. All requests to access and/or modify
this DB should be forwarded to the parent process.

Cheers,
Ehsan

[Adam Rogers]

All, I have added Password Manager functionality to the feature backlog for Firefox Accounts. While there are clearly many questions to answer, this is something that we are interested in perusing. At this point, due to a significant number of unknowns, there is no target release specified for these features.

Thanks,

Adam

----- Original Message -----
From: "Ehsan Akhgari" <ehsan....@gmail.com>
To: "Alive" <al...@mozilla.com>, "dev-webapi" <dev-w...@lists.mozilla.org>, dev...@lists.mozilla.org, "dev-gaia" <dev-...@lists.mozilla.org>
Cc: "Paul Theriault" <pther...@mozilla.com>

_______________________________________________
dev-b2g mailing list
dev...@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-b2g

[Ehsan Akhgari]

Thanks for the note, Adam. Where is the discussion about this happening
(assuming that it has started yet)?

Thanks!
Ehsan

[Adam Rogers]

Hi Ehsan,

Formal discussions have not started yet, but I have been taking notes on threads like this. I'm happy to include you in the meetings as we move to formalize the ideas into actions.

[Ehsan Akhgari]

On 12/6/2013, 1:28 PM, Adam Rogers wrote:
> Hi Ehsan,
>
> Formal discussions have not started yet, but I have been taking notes on threads like this. I'm happy to include you in the meetings as we move to formalize the ideas into actions.

Yeah, I'm somewhat interested in this, so I'd appreciate that!

Cheers,
Ehsan