[sys42590]

Has anyone the time to do a code review on that: I would not be surprised if there's even less entropy in Firefox generated passwords than the bug report might indicate (e.g. just uses time and domain as random seed).

If that's the case it would make a new "named" vulnerability (FOXHOLE, FIREBLEED, whatever).

[mnoorenberghe]

It uses a PRNG with no site-specific seed, it just stores that result temporarily so it can be filled it password confirmation fields or login forms during the same session to ensure the user can complete their password change process. Code: https://searchfox.org/mozilla-central/rev/abcee8d2c97a5c8a1f...

[sys42590]

thanks for the link, much appreciated

[haasted]

It generates the same password when on the same domain. There's probably a usability explanation for this behaviour, rather than lack of entropy.

Wish the responder would have spend some time elaborating on "why" rather than just stating that it's "by design".

[forgotpwd16]

Seems they saw the submission and edited their response, appending the following:

    EDIT 2022-12-20: There are at least 3 cases where this is desirable within a short period of time:
    1. Filling password confirmation fields on the same page if we were not able to automatically do so.
    2. Filling the same password on the next page
    3. The password didn’t save on the change form so you need to fill it on the log in page.
       Bug 1551723 will give the user the option to choose a new password.

#1551723 tracked @ https://bugzilla.mozilla.org/show_bug.cgi?id=1551723

[nebalee]

It only generates the same password if the browser session is also the same, i.e. it generates a different password for the same domain if the browser was closed in the meantime.

[sys42590]

Lack of entropy when generating keys and passwords leads to things like the infamous Debian weak SSH keys vulnerability from 2008: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2008-0166

So I'd prefer secure passwords instead of convenient passwords...