subdavis
commented
6 years ago Hey there, Martin.
This seems like a serious issue, but I cannot figure out exactly what you did to make it happen.
I've never seen any sort of "history" dropdown before, but I know exactly what caused it. input type=password will never allow the browser to suggest an entry history. The eye toggles this type to type=text to make the password visible, thereby suggesting to the browser that this is a safe field to cache.
This is, as you've noted, very dangerous and I regret that the bug made it onto the webstore. I'll be reverting this feature and pushing an update as soon as possible. Thank you very much for reporting it.
This issue is a
Please describe the current behavior, and explain why it's bad.
I am using Tusk 2018.6.16 on Mozilla Firefox 60.0.2 (64-Bit) / Ubuntu 16.04. I recently started to play with the eye symbol in the master password entry field and was able, typically by toggling it, to access the (correct) password, as entered in a previous session in the "history drop down" of the field (sorry, I don't know the proper name for this function. I'll try to add a screenshot though)
Please describe how you think it should change.
The functionality with the eye is nice (as you can see, I have a fairly long password) but the password should never ever be displayed to anybody without entering it first. In addition, it probably would be nice to disable the "view password in clear" functionality on a per-installation basis (someone might mess with this setting and might be able to glean over ones shoulder while typing in).
Anything else?
I use a master password in Mozilla which I nowadays hardly ever enter, so the entry of this field should not be among the saved passwords in the mozilla internal store.