Why do company admins hate password managers?
Every few month I am forced at work to change my login-passwords for no reason at all, just because some outdated recommendation said so years ago. Even NIST realized and corrected this.
To live with this annoyance, at home I'd take some addon to generate a new random String of some 16+ Characters and enter it in the password field. There you go, good, safe and secure for another 3 month.
But on sending the login-form at work Firefox does not ask me to save the password. What's wrong? I was reading up and down the Internet until I found the culprit: in about:config the key signon.rememberSignons is "locked" to false and I cannot reenable it. WTF?
Mozilla is giving out advice on how to memorize passwords instead of saving them in a password-manager. And at the same time Mozilla puts anti-features in the browser for the IT-department to disable my password-manager, that I became so dependent on?
You know where this leads: - I take the very same password everywhere now. - And because I have to type it every time: it's nice and short and - it happens to be found in an ordinary dictionary, as surprise the keyboard layout was designed, to support typing natural words. - Finally the last letter is a single digit, as I am forced to integrate a digit anyway, so why not let it be the last one - Oh how nice ... the reminder popped up to tell me, I have to change my password again ... so I add one to the counter, that happens to be so conveniently integrated into the password - Even, when I come across an old outdated account, I only need 10 tries, to crack my own password - I must recommend this as a fail-safe to all my colleagues!
Of course I cannot expect of you to answer my question about stupid IT-department. They will only open an information-request-ticket, that will automatically timeout after two weeks. I already tried this.
No, my question to you is: When will you remove the anti-feature for company-admins to take their greedy fingers off of my Firefox configuration?
I don't want them to hide some configuration in the windows registry, where I am not allowed to alter it. I don't want to be locked out of my profile including about:config I don't want my password-manager crippled. I don't want to be nannied, that I'm not allowed to install a password generator addon.
BTW: What is more harmful: - Collecting my personal password-manager files protected by a long master-password from my encrypted hard drive. - Cracking the weak password I was driven into using or just phishing it from a single fake-site I happily typed it into, as I am so used to typing it everywhere multiple times per day.
PS: Don't take me wrong. I'm very pleased with Firefox even although I got shocked by loosing lots of addons during the transition to webextension (now I understand the necessity to go-on in development). This is not meant to offend. I'm frustrated, that I met a dead end with my IT-department ... and sad to find out Mozilla collaborates with them ...
Chosen solution
@private_lock: There are methods to scan https connections. Proxies that do that terminate the https connection, scan the data and then freshly encode the "clean" data into https towards the client, dynamically signing the original site with their own CA certificate. Registering that CA certificate as trusted in your IT department distributed browser will make your browser accept the re-encoded https stream with the locally signed server certificate as valid (assuming plain HTTPS, it is a different matter when e.g. certificate pinning is employed, but I assume that such headers are stripped by the proxy and other channels like DNS may have to be modified to match.) It is indeed a grave decision to employ such a service, and like many decisions there are pros and cons, depending on the sensitivity of the data vs. the trustworthiness of the server operators, so I expect whitelists would be put in place for respected sources to allow end-to-end encryption for them. Forcing downgrade to http is certainly not desirable, and increasingly also not feasible as all you will get from many sites during plain http access is a redirect to https. But while 10-15 years ago getting a SSL certificate was hard work, cost time and money, now with letsencrypt it is also no problem to have a throwaway spam/phishing domain certified even if it is replaced by another one after a few days of use, increasing the risk of malware distribution and other threats via https.
The about:config parameter you are complaining about is the same that is set when a user checks the box "do not offer me to store any passwords" in the password save dialogue, and denying the users this option would be a disservice. You may consider locking the option a disservice by your admin, but I agree with some other commenters here that Firefox is not to blame for that. Adding a about:config parameter to enforce or define minimum complexity on a master password may be a possible feature request for Firefox, but as it would be of benefit only in corporate environments (user controlled installations have no or very little benefit from it) I am doubtful it would be considered a priority.
I understand that your main objective was venting frustration about your IT department, and I think you have succeeded. ;)
Read this answer in context 👍 0All Replies (8)
It is my understanding that the owner of the website decides whether the browser is allowed to store the password or not. Wrt the pref you mentioned, I don't know. It may not be relevant at all. I'd suggest using a password manager, my favorite one is Bitwarden. There are others though, and you should pick the one which fits your needs best. Of course this may be violating regulations of your IT. About ignorant corporate IT, I could tell almost the exact same story.
As you already stated, this is a topic you need to discuss within your company, as it related to company policy. If they want to forbid browsers' password managers, and firefox does not permit doing so, they may choose not to offer Firefox as a browser at all, which probably would not increase your satisfaction. Firefox does not require you to protect the password manager by a master password, and forbidding to store passwords unprotectedly on the computer makes a lot of sense. I do not see any about:config parameters to require a master password for the stored passwords, and to require a minimum complexity for this master password. In the absence of such constraints, allowing its password store can be considered a security risk from a company perspective.
Note that this does not prove that your company is adverse to password managers altogether, so you may want to ask what other password manager they recommend instead of the Firefox built-in. Personally, I only use the Firefox password manager for certain low-security accounts like discussion forums, and the separate free and open-source program from https://pwsafe.org/ for all more valuable ones.
Warning: There are some web pages that do not allow browsers to record or fill in the log-in information.
But if you go to the Mozilla Add-ons Web Page {web Link} (There’s a lot of good stuff here) you can try a Form Filling add-on. I found that the form-filler add-on I use is not affected.
First: There is an article trying to explain, what might stop the password manager from working: https://support.mozilla.org/en-US/kb/usernames-and-passwords-are-not-saved How would I add another possible cause about overzealous company admins abusing these configs: http://kb.mozillazine.org/Locking_preferences
Switching to an alternate password manager is what actually happened, as the need is overwhelming. So instead of a regularly updated Firefox installation, now there is a dubious zip-archive spread under hand from colleague to colleague with a some years old keepass version to fill in the gap. The only requirement was, that it does not require an installation program to ask for admin rights.
But still the usability is horrible, as it does not integrate with Firefox to detect the exact URL in the location bar. So instead of typing a weak password, now I copy it to clipboard and paste it uncontrolled anywhere, opening up new attac-vectors for monitoring the clipboard while not solving the issue of phishing sites mimicing the original.
@christ Yes, some uncooperative websites try all tricks for their password-field not to be picked up by the Firefox password-manager. But in my case, the sites work properly at home with my privately owned Firefox.
@FredMcD The allowance to install addons via key "xpinstall.enabled" is also locked to false. Actually there are about 15 prefs locked by the same mechanism.
@kede81 So following your argumentation: If some IT-guy would decide to forbid https connections, as they cannot "scan" all the transfers at a central proxy for viruses, you'd happily integrate an option into Firefox to disallow https?
Yes you are right: Firefox is not part of the "default desktop" anymore. So even getting it is already dependent on the users specifically requesting it and the IT-department graciously installing it. So far they did not deny it completely, but depending on the installation numbers (they are tracking I'm sure), they may or may not be willing to cooperate.
On the other hand, they are slow to do any change. Until now I haven't seen them offering Chrome which is also not part of "default desktop". But they are still really fond of the Internet Exploder ... what a pity, M$ cancelled it *cough*
So what could be a path forward?
If their requirement is for a secure master-password ... why doesn't Mozilla offer some config to enforce custom secure master-password-rules while at the same time retiring the config, that kills the password manager?
The Problem here is this is a Company installed and thus Admin has blocked all user from installing or changing the setup. As another noted you need to talk to your IT about doing what you trying to do as Admin is locked thus you have no Permission or Privileges to do what your asking.
Chosen Solution
@private_lock: There are methods to scan https connections. Proxies that do that terminate the https connection, scan the data and then freshly encode the "clean" data into https towards the client, dynamically signing the original site with their own CA certificate. Registering that CA certificate as trusted in your IT department distributed browser will make your browser accept the re-encoded https stream with the locally signed server certificate as valid (assuming plain HTTPS, it is a different matter when e.g. certificate pinning is employed, but I assume that such headers are stripped by the proxy and other channels like DNS may have to be modified to match.) It is indeed a grave decision to employ such a service, and like many decisions there are pros and cons, depending on the sensitivity of the data vs. the trustworthiness of the server operators, so I expect whitelists would be put in place for respected sources to allow end-to-end encryption for them. Forcing downgrade to http is certainly not desirable, and increasingly also not feasible as all you will get from many sites during plain http access is a redirect to https. But while 10-15 years ago getting a SSL certificate was hard work, cost time and money, now with letsencrypt it is also no problem to have a throwaway spam/phishing domain certified even if it is replaced by another one after a few days of use, increasing the risk of malware distribution and other threats via https.
The about:config parameter you are complaining about is the same that is set when a user checks the box "do not offer me to store any passwords" in the password save dialogue, and denying the users this option would be a disservice. You may consider locking the option a disservice by your admin, but I agree with some other commenters here that Firefox is not to blame for that. Adding a about:config parameter to enforce or define minimum complexity on a master password may be a possible feature request for Firefox, but as it would be of benefit only in corporate environments (user controlled installations have no or very little benefit from it) I am doubtful it would be considered a priority.
I understand that your main objective was venting frustration about your IT department, and I think you have succeeded. ;)
Yeah, you are right ... barking up the wrong tree ...
Anyway thanks for listening. Maybe one day some admin guy may find it and take it to heart.
Sorry , one more suggestion I meant to write: One path you could pursue: seeing that the IT department is not particularly open to your concerns, you could approach your company's data protection officer, explaining how the lack of a password manager offering by your IT is reducing instead of strengthening the security of company related passwords, and maybe they will become your ally, giving your concerns more weight. Many thanks for choosing my solution.