browserpass-extension icon indicating copy to clipboard operation
browserpass-extension copied to clipboard

Published 20 hours ago verified publisher icon browserpass

Handle entries without password

Open lukengda opened this issue 5 years ago • 6 comments

General information

  • Operating system + version: Ubuntu 18.04
  • Browser + version: Firefox 72
  • Information about the host app:
    • How did you install it? downloaded a pre-built binary
    • If installed an official release, put a version ($ browserpass --version): 3.0.6
  • Information about the browser extension:
    • How did you install it? firefox webstore
    • Browserpass extension version as reported by your browser: 3.4.1

Exact steps to reproduce the problem

  1. Create a pass entry without content or with content Password:

  2. Fill the entry on the detected url login field

What should happen?

I would expect browserpass to insert the username and leave the password field empty, maybe even focus the password field so that i can manually fill it.

The user story behind this feature is maybe the fact that this is not "your" password and you are therefore not allowed to store the password or you do not want to store the password personally.

What happened instead?

You have to differentiate the empty entry from the empty password line:

  • Entirely empty pass entry:
    • Automatic fill without opening the UI fills the username from the entry file name and the focus stays on the username input field.
    • Filling from the Popup-UI (with mouse or keyboard) fills the username, but focus stays on the extension popup with a red error message Error: Error: value is undefined
  • Having a line Password:\n with or without a username line fills the string 'Password' into the password input field

lukengda avatar Feb 07 '20 11:02 lukengda

@maximbaz Do you have an opinion on this one? Obviously we need to fix the error, but I'm unsure what behavior is desirable otherwise. I'm not convinced that we should be attempting to focus a password field if we have no value to fill there; focusing the submit button makes more sense IMO.

erayd avatar Feb 07 '20 14:02 erayd

@lukengda Are you able to provide some real-world examples where you actually needed to fill a username, but manually enter the password, and had a blank password entry? This feels like a very niche use-case.

erayd avatar Feb 07 '20 14:02 erayd

@erayd Examples where i actually need it? No. Because every password i know and don't want to have in a password store, I would store the username only for convenience and that reaches into #74.

I just noticed this because i imported a keepass file (in the process of switching over) where I had a hand full of username-only entries like a banking login with a long number as username.

I am reporting this because i am used to having focus on the password input for this scenario with other browser autofills for keepass

lukengda avatar Feb 07 '20 15:02 lukengda

I'm not convinced that we should be attempting to focus a password field if we have no value to fill there; focusing the submit button makes more sense IMO.

I share the same opinion, we can make it so that an empty file / empty first line / password:\n do not generate errors, but setting the focus inside password field and prompting the user to fill it seems not only niche but also against the whole idea that we don't want to encourage people to fill out passwords manually to prevent phishing attacks.

max-baz avatar Feb 07 '20 16:02 max-baz

@lukengda

Because every password i know and don't want to have in a password store, I would store the username only...

As @maximbaz mentioned above, manually typing remembered passwords goes against the whole idea of a password manager, and also leaves you more vulnerable to phishing. While I won't say there is never a place for it, it's usually an indicator that you're doing something problematic from a security standpoint.

I am reporting this because i am used to having focus on the password input for this scenario with other browser autofills for keepass.

We aren't trying to be a KeePass clone. Given that you have no example (and #74 has nothing to do with your request), I think we should proceed with fixing the error, but leaving the focus on the submit button.

erayd avatar Feb 07 '20 21:02 erayd

@erayd @maximbaz Don't get me wrong, I'm totally fine with the solution and I don't want any keepass clone, otherwise I would not be here wit pass and browserpass.

I reevaluated the behavior I was used to with tusk (browser extension for keepass files) and found out that focus on the password field is the default behavior for all entries and you can submit from there by pressing enter. This mimes the user input best in my opinion but I totally do not require this behavior.

Anyway, thanks for your responses and I want to contribute in the future, I'm just too busy at the moment so I won't create a PR for the error handling.

lukengda avatar Feb 08 '20 12:02 lukengda