from Hacker News

Password generator doesn't generate new password in the same session

by makepanic on 12/20/22, 9:44 AM with 95 comments

  • by pontilanda on 12/20/22, 12:25 PM

    Is it a bug or a feature?

    Depending on the exact wording, I completely expect the browser to suggest the same password for the same website in the same session for the same user.

    Websites are crap and sometimes you need to enter the same password twice before the browser has gotten the notice to actually save the first one.

  • by TrianguloY on 12/20/22, 12:41 PM

    Could be "fixed" by showing two entries: "previous password" and "new password".

    This will change the ui a bit though.

  • by dncornholio on 12/20/22, 12:23 PM

    Can someone explain me what the issue is with this? Not a hypothetical reason, but a real life example?

  • by jonnycomputer on 12/20/22, 12:12 PM

    And here

    https://bugzilla.mozilla.org/show_bug.cgi?id=1786712

    This is sort of a ridiculous bug, tbh. What rationale could this be "currently by design"?

  • by makepanic on 12/20/22, 9:45 AM

    Most recent issue that tracks this is https://bugzilla.mozilla.org/show_bug.cgi?id=1551723

  • by SahAssar on 12/20/22, 11:45 AM

    This is pretty absurd and goes against every expectation I'd have of a password generator. The only reason I can think of it being useful is if the site has a separate screen for a confirm password field, but even then the password should be saved in the password manager the first time it is submitted.

  • by turtleman1338 on 12/20/22, 11:55 AM

    >This is currently by design

    What?

  • by jmclnx on 12/20/22, 12:39 PM

    If you are on a UN*X Type system, you can create your own random passwords very easily.

    tr -cd "[:alnum:]" < /dev/urandom | fold -w 20 | sed 10q

    So I have no need for these fancy password generators :)

  • by bakhy on 12/20/22, 12:18 PM

    This is quite easy to reproduce. Wow.

    IMO they should just remove the password generator feature. It's barely usable, and with this behavior it's just dangerous.

    Why barely usable? Some really simple features are missing. I miss the ability to specify password requirements - for annoying sites which specify length, require so and so many these and those types of characters, or even forbid some types. And another one is that it's not possible to manually generate a password, not even in the password storage UI, when manually adding a new entry. So, if a site did not correctly declare a password field, which happens, you must generate a password yourself somehow.

  • by sys42590 on 12/20/22, 11:53 AM

    Has anyone the time to do a code review on that: I would not be surprised if there's even less entropy in Firefox generated passwords than the bug report might indicate (e.g. just uses time and domain as random seed).

    If that's the case it would make a new "named" vulnerability (FOXHOLE, FIREBLEED, whatever).