I hate LiveJournal for breaking Password Manager

LiveJournal breaks Firefox’s Password Manager, and therefore I hate it. It’s annoying as all hell. Why? This Bugzilla bug shows some detail. Basically, LJ and other sites don’t actually use your password, but an MD5 hash of it so it’s not sent over the net in cleartext, and manage this with some client-side JavaScripting to swap out the password and clear the field when you submit the form. There’s nothing there for PWM to remember, or so it thinks, and doesn’t prompt you. This is stupid because it’s a fricking web log not a bank account. Further, even banks don’t use this scheme. It’s insane and insipid. If it wasn’t for the fact I comment on some LJ users’ blogs, I woundn’t care.

Of course, if I knew what method Firefox uses to encrypt passwords then one could add the password in manually, like you could in Mozilla. Mozilla just used Base64 if you never specified a Master Password, which was good enough to prevent casual snooping of passwords. Of course, I’d update my Mozilla Password Tricks page with Firefox info too if we cracked it. ๐Ÿ™‚

6 Comments

  1. Jesse Ruderman had this to say,

    March 15, 2005 @ 4:24 am

    Banks don’t have the client hash passwords because the connection is encrypted. I think Yahoo! does something similar to LJ.

  2. Daniel had this to say,

    March 15, 2005 @ 4:24 am

    Well, just because it’s only a blog doesn’t make the password any less sensitive.

    Basically, I’ve implemented this before where we didn’t have access to SSL. And given the choice between HTTP Basic auth, or a relatively secure client-side implementation, you can guess what we chose to do.

    That said, I can understand the problem wrt Firefox’s password manager. Maybe if HTML provided a standardized way to protect stuff like this, it wouldn’t be a problem. Hmm… maybe suggest that to WHAT-WG?

  3. Jan! had this to say,

    March 15, 2005 @ 7:12 am

    Since the encryption is done with JavaScript, couldn’t you just turn JS off once, have Firefox store the password, and in the future (with JS enabled again, or not) get it prefilled?

    The remembering doesn’t happen because the JavaScript erases the contents of the password field once it has hashed it. At least, that’s what I think. ๐Ÿ™‚

  4. Laurens Holst had this to say,

    March 15, 2005 @ 7:58 am

    On my website, I send the password as plain text. But, the cookie which is stored for auto-login has the MD5 instead. I think that’s a nice compromise, sending MD5 upon submission would be too bothersome and require Javascript.

    ~Grauw

  5. Grey had this to say,

    March 16, 2005 @ 3:39 am

    Oh yeah, this is typical. Firefox just decided to start remembering the PW. Poof. IT didn’t earlier today, now it does. God smiles on intermitten bugs…

  6. michaell had this to say,

    March 16, 2005 @ 8:38 pm

    You don’t even need to turn JS off – LJ has a page for people who have issues with their encrypted login. Just use http://www.livejournal.com/… to login and Firefox will remember the password just fine.