LiveJournal breaks Firefox’s Password Manager, and therefore I hate it. It’s annoying as all hell. Why? This Bugzilla bug shows some detail. Basically, LJ and other sites don’t actually use your password, but an MD5 hash of it so it’s not sent over the net in cleartext, and manage this with some client-side JavaScripting to swap out the password and clear the field when you submit the form. There’s nothing there for PWM to remember, or so it thinks, and doesn’t prompt you. This is stupid because it’s a fricking web log not a bank account. Further, even banks don’t use this scheme. It’s insane and insipid. If it wasn’t for the fact I comment on some LJ users’ blogs, I woundn’t care.
Of course, if I knew what method Firefox uses to encrypt passwords then one could add the password in manually, like you could in Mozilla. Mozilla just used Base64 if you never specified a Master Password, which was good enough to prevent casual snooping of passwords. Of course, I’d update my Mozilla Password Tricks page with Firefox info too if we cracked it. ๐
Banks don’t have the client hash passwords because the connection is encrypted. I think Yahoo! does something similar to LJ.
Well, just because it’s only a blog doesn’t make the password any less sensitive.
Basically, I’ve implemented this before where we didn’t have access to SSL. And given the choice between HTTP Basic auth, or a relatively secure client-side implementation, you can guess what we chose to do.
That said, I can understand the problem wrt Firefox’s password manager. Maybe if HTML provided a standardized way to protect stuff like this, it wouldn’t be a problem. Hmm… maybe suggest that to WHAT-WG?
Since the encryption is done with JavaScript, couldn’t you just turn JS off once, have Firefox store the password, and in the future (with JS enabled again, or not) get it prefilled?
The remembering doesn’t happen because the JavaScript erases the contents of the password field once it has hashed it. At least, that’s what I think. ๐
On my website, I send the password as plain text. But, the cookie which is stored for auto-login has the MD5 instead. I think thatโs a nice compromise, sending MD5 upon submission would be too bothersome and require Javascript.
~Grauw
Oh yeah, this is typical. Firefox just decided to start remembering the PW. Poof. IT didn’t earlier today, now it does. God smiles on intermitten bugs…
You don’t even need to turn JS off – LJ has a page for people who have issues with their encrypted login. Just use http://www.livejournal.com/… to login and Firefox will remember the password just fine.