Pale Moon forum

has anyone else have the problem of passwords not showing up after the newest PM upgrade? Now I have to keep entering my password every time. My list of passwords are still there, but there not showing up.

Have you read the release notes? They popup in a tab on every upgrade. Could have saved you the time to create a thread and ME to reply to it.

Oh Thank you, I did read the release notes, but somehow missed that.

No problem.. WELL not much of one. Carry on!

strange decision to change this function.
So usability and ease of use with passwords will be affected.

It was a security and privacy decision. You can re-enable it as an informed choice.. Least, we hope people will be informed.

It seems to only work if there is a user name and password. But if there is just a password, it does not popup, or show up... like; http://imgsrc.ru/main/passchk.php?ad=18 ... 7374954&t= the password 12345 is in my list, but its not showing up, or popping up.

Then flip it back on...

I read the release notes. Still I totally missed the ramifications of the security changes. It's not easy to miss, when you are a mere user. So sometimes, it might be useful to point such a change out with a bit more emphasis

I like PM but now that I have to type in all passwords it sucks big time. I wish I never upgraded. Is there a way to go back to before the update? Or make the passwords appear again?

Is there a way to go back to before the update? Or make the passwords appear again?

You decide.

Moonraker wrote:strange decision to change this function.
So usability and ease of use with passwords will be affected.

There's nothing strange about it -- it's actually been a point of note for quite some time (see e.g. bug #408531 from 2007).
Automatically filling in credentials is a risk, because it's triggered by named form fields. if an XSS attack injects properly-named form fields, automatically-filled-in credentials can then be read and stolen. While there's been no known breach like this on major sites recently, it has been abused for tracking; so it's both a security AND privacy concern. See also this demo.

Usability isn't affected, only the convenience of hands-free use of passwords.

Thanks moonchild.
But i have noticed that double clicking the fields produces the username and password anyway so i do not see any security or privacy benefit.If we dont wish someone to see our passwords etc then they really should not be allowed access to the computer at all.

best wishes.

Yeah but with autofill off it is a user interaction on specific fields getting the info.. Of course js can still read it but what WILL NOT be in this case is a situation where there is a HIDDEN FORM being populated with creds without the user knowing about it on a page that has no visable form.

THIS is a good thing and an improvement in sec and privacy.

Unless, user flips the pref then that is a choice the user is making to sacrifice a bit of security and privacy for convenience.

Moonraker wrote:But i have noticed that double clicking the fields produces the username and password anyway so i do not see any security or privacy benefit.

It requires user interaction on a visible form field, i.e.: conscious user action to have these credentials filled in... how does that not provide a security benefit over having the manager automatically form-fill credentials in any field (including hidden ones) without user interaction, the moment a page is loaded?...
I'm not sure how I can explain this to you if you don't understand this basic difference. Please take a moment to think about the automatic-on-load versus user-must-fill scenarios and differences, and how third-party scripts could abuse it. I hope you get it; if not, maybe someone else can translate it into something more understandable than what I am able to.

craigd.. I don't have a page like you show. I have 8.1.

Moonchild wrote:

Moonraker wrote:But i have noticed that double clicking the fields produces the username and password anyway so i do not see any security or privacy benefit.

It requires user interaction on a visible form field, i.e.: conscious user action to have these credentials filled in... how does that not provide a security benefit over having the manager automatically form-fill credentials in any field (including hidden ones) without user interaction, the moment a page is loaded?...
I'm not sure how I can explain this to you if you don't understand this basic difference. Please take a moment to think about the automatic-on-load versus user-must-fill scenarios and differences, and how third-party scripts could abuse it. I hope you get it; if not, maybe someone else can translate it into something more understandable than what I am able to.

"user interaction!"
this is the key term is it not.
what difference does it make if a click is required or the details are autofilled.?
user interaction is still required for both methods.simply hiding the credentials is not secure in my opinion.If an uninvited guest is perusing your computer then whether the credentials is hidden or not is irrelevant.What i feel you should of done is to disable the double clicking function and require a fresh input from user,
my thoughts fwiw.

You simply don't get it or you are being intentionally being thick. Either way that is all we have to offer. If you cannot or will not try to understand.. We cannot help you.

With that the relevant discourse has come to an end in this thread.

New Tobin Paradigm wrote:You simply don't get it or you are being intentionally being thick. Either way that is all we have to offer. If you cannot or will not try to understand.. We cannot help you.

With that the relevant discourse has come to an end in this thread.

no mr paradox,you do NOT get it.
heres a scenario for you,
my laptop gets stolen and they get to my desktop...well guess what all they need to do is open browser and double click sensitive fields and voila credentials are displayed and they are in.

comprende.?

nothing thick about it and if you cant see the error here then you are intentionally being evasive and plain pedantic.
i will not resort to insults as it will get nowhere.

i am talking about local access to uninvited people..do YOU not get it and this is why google will not implement it in chrome..
if you will not understand THIS then i for one cannot make the blind see..

cheers.

CraigPD wrote:You decide.

AutoFillLoginDetails.png

Moonchild wrote:There's nothing strange about it -- it's actually been a point of note for quite some time (see e.g. bug #408531 from 2007).
Automatically filling in credentials is a risk, because it's triggered by named form fields. if an XSS attack injects properly-named form fields, automatically-filled-in credentials can then be read and stolen. While there's been no known breach like this on major sites recently, it has been abused for tracking; so it's both a security AND privacy concern. See also this demo.

Usability isn't affected, only the convenience of hands-free use of passwords.

Thank you