Firefox 77 won't truncate text exceeding max length to address password pasting issues
Mozilla plans to address an annoying issue in Firefox 77 related to pasting on sites that set a maxlength attribute to prevent password truncation when submitting form data.
Imagine the following scenario: you use a password manager to generate secure passwords when you sign-up for a service on the Internet or change an existing account password. Your expectation is that the entire password is pasted into the password field and submitted to the server.
If the developer of the site set a maxlength attribute for the password field, the pasted password will get truncated automatically. The truncated password is submitted to the server and accepted as the user password. When you then try to sign-in to the service, you will notice that the original password is not accepted because of the truncation.
Most sites don't reveal to the user that the password or other text has been truncated; this is especially problematic for passwords as you cannot easily verify the input unless a "reveal" option is attached to the field.
Mozilla found a solution for the issue that won't change site functionality but addresses the underlying issue. Firefox will mark the form control as invalid when a string that has been entered into the field exceeds the maximum length attribute (if set). The user will be notified about the issue so that it can be corrected before the data is sent to the server.
Firefox displays a red border around the field and a message that informs the user about the issue, e.g. "Please shorten this text to XYZ characters or less (you are currently using ABC characters" and paints a red border around the password field to highlight the problem.
The form cannot be submitted until the issue has been resolved; this usually means changing the entered text to match the maximum length attribute of the field.
Mozilla's solution prevents that the server receives a longer than expected password or string.
Firefox users may turn off the new behavior by setting the new preference editor.truncate_user_pastes to TRUE.
- Load about:config in the Firefox address bar (make sure you run Firefox 77 or newer).
- Search for editor.truncate_user_pastes.
- Set the value to TRUE to disable the functionality.
- Set the value to FALSE to enable it (default).
You can check out the bug on Mozilla here for additional information on the implementation.
Mozilla's implementation addresses a long standing problem that users who paste passwords into password fields (and text into some other fields) may have experienced while using forms on the Internet. It is not just a problem of manually pasting content but may also occur if password manager extensions are used to paste.
Now You: how do you enter password information on the Internet?
I suppose Covid-19 will now disappear, (so-called) global warming will stop and Microsoft will start doing control quality again : Firefox has actually implemented a useful feature, for the first time since baked bread was invented.
This password length bug is indeed quite frequent, and hugely annoying. It’s entirely the fault of bad design by websites, including security-minded websites, may I add. Because if the fisrt form truncates the password silently (which it should not do, anyway), why does the second form accept it wholesale ?
We need to create a political party to bully websites into lifting any limitations on passwords : length or character set. There are people out there who need to be told that password managers exist, and they should actually praise and encourage those of their customers who are using them. Instead of doing security like it was 1990.
I guess a similar feature could not be implemented on password managers, where it belongs. Only the browser knows that a webform has truncated a password.
This is very unfortunate, because on the other hand, you really should not use a browser to store your passwords. I suppose, and hope, that this feature is not linked to one using Firefox as a password manager.
I’ve experienced more than once the scenario described in the article, especially that I create 32 character passwords by default. When submitting a new password I count the * to be sure the 32 are there but this is not error-free.
Excellent Mozilla initiative for Firefox.
By the way why is is so hard for site admins to be specific about their password format, even if more and more sites state at least one of the following :
– Min and max password length
– Upper/lower differentiated, alpha/numerical, special characters accepted, required?
I’ve seen sites where I had to test over and over again a password in order to meet the site’s password requirement. Why not be clear about it? Maybe because many administrators rely on the idea that users won’t propose anything more elaborated then 12 character childish passwords, which is unfortunately true for a vast majority of us but not for all, so it’d be nice that these admins consider reality rather than stats.
Excellent, useful stuff!
I always enter my password manually from KeePass. I have never this problem of password truncation, except for the Flickr app on android. Weird, since on Windows 10 I can copy/paste the same long password in Brave and it will be accepted.
OMFG finally!!! Thank you Mozilla!
I have had this annoying problem so many times that I just had to give up making super long passwords and was forced to make short less secure passwords.
Well done Mozilla! Finally a solution to a real problem!
And jeers to all the websites and services that don’t explicitly tell you their password requirements BEFORE you enter your password. It literally takes under 10 seconds to write the HTML to display this information on a website! There is no excuse.
I’m not so sure that its a good idea to use a browsers password manager in the first place. If this was a standard practice among all internet users, this problem would be a non issue.
How does a password manager fair, in terms of privacy and security ? can you be absolutely sure that the passwords handled by the browser, are not stored in the cloud somewhere ? those who trust that type of storage are fooling themselves, if they think that sort of solution is water tight when it comes to security.
Taking the attitude that nothing is secure, being conscious of the fact that you should trust no-one with your data, contributes to a very cautious approach towards internet usage, and minimizing the level of personal information you part with on the internet, is surely the best philosophy to adopt. In fact I’d go one stage further, and INVENT a totally fictitious profile, exclusively for internet use, keeping your real life separate from your online profile.
But I digress, the point is, there must be better, more private ways, to store passwords, I for one would most certainly, never use a password manager in a browser, regardless of how convenient it is.
Peter Newton [London UK]
@Peter Newton, doubt is essential, which differentiates it from paranoia, all of certitudes symmetrical to those of gullibility.
I can understand your doubts being myself deeply committed to privacy and security and when it comes to the Web both are often tied.
– Managing login credentials with a browser’s dedicated password manager : unless the user has his settings synchronized via a browser’s account I’d be willing to admit these passwords remain stored locally and only locally.
– Managing login credentials with a browser extension : the idea is that the user’s passwords are encrypted locally then sent to the extension’s cloud servers, or not. I know none which keeps all only locally, or has that option. The advantage is that credentials are accessible from any device wherever it be located, the disadvantage is that it triggers a user’s doubt : I have no certitude that my credentials in the cloud, though encrypted, remain encrypted to an expert’s talent, to a company’s inquisition. I’m delegating private matter to a company because confidence is slightly higher than skepticism. I sleep with one eye open : I wouldn’t send over the cloud, even encrypted, by bank login credentials, for instance, nor whatever what I consider as highly confidential : a reasonable confidence is a good answer to a reasonable doubt, I presume.
– Managing login credentials with an external application : this is, I think, what most savant users do. Data is kept local and the login credentials it manages may be either copy/pasted (the old way, cumbersome) or called via a transfer protocol set by the user. Forgive the technical imprecision given this is not my choice. I do have a basic, simple local password manager (passwords and all we’ll consider private data) in which I refer to when my lack of certitudes will have led me to not include them in a browser’s built-in or a browser’s dedicated password manager.
I guess the idea is that more a user wishes to comply to privacy more work, time will be required. Where is the limit between the very idea of a digital environment (ease of use) and privacy? I guess that’s up to each of us to decide, but I do believe that on the networks as in life, lack of knowledge may lead to excess of confidence as well as to excess of skepticism; to balance both in an optimized way there is nothing but knowledge.
You’re assuming this feature only works when using Firefox own password manager. Do you have positive information to that effect ? The article suggests the contrary :
“Imagine the following scenario: you use a password manager to generate secure passwords when you sign-up for a service on the Internet or change an existing account password.”
Does anyone know if this is feature that will come to Chromium as well?
I couldn’t agree more with the points you make in your reply, however, I sometimes wonder if anything is safe on the internet, given the recent history of data exfiltrations, breaches, and the devious methods employed by many data entities and developers of popular operating systems.
I have adopted the “Steve Gibson” approach, “T.N.O.” – Trust No-One.
Even if personal data and passwords are stored locally, how can anyone check to see if that data has not been copied, or sent surreptitiously to the developers, providing stats, or whatever else the bogus reasoning is for its collection. We rely on interested parties, and investigators to blow the whistle if this is ever discovered, but often by the time it comes to light, it is too late.
You are right, we have to try to strike a balance between practical usability, and minimal supply of personal data, its a hard long road, and its very much dependent on the individual.
The recent Covid19 crisis brought into focus, the total lack of technical and security awareness that our country’s politicians have, as demonstrated by the coverage of the house of commons question time remote meetings. It was plainly obvious that most, if not all of the participants, were completely unaware of how to use Skype properly, and in one case, an MP talked for one minute, while his microphone was muted, and for that reason his question was passed over.
I’m willing to bet that these people are using either Windows 10 or Apple OS, and in view of the inherent insecurities, it frightens me to death at the prospect, when you stop to consider the sensitive nature of the content and data stored on their laptops. Combine the two factors of security ignorance, and the lack of technical knowledge, and you have an explosive combination.
Thank you for your reply.
Peter Newton [London UK]
@Peter Newton, basically I don’t see how I could disagree with any of your points. But I’m not an expert.
I’ll start with a digression concerning â€œSteve Gibsonâ€ approach, â€œT.N.O.â€ â€“ Trust No-One.
This suggestion applies to the web but as far as I’m able to observe in my real life environment suspicion if not distrust is replacing caution, and be this approach legitimate or not the fact is that the result is stress. I get to wonder if trust, even blind and excessive, is not a passport to happiness when suspicion is not. Being aware, lucid is an invitation to combat when trust is a farewell to arms. I guess we’re many trying to find the medium point, “wise as serpents and innocent as doves”. Friendship and love, after the spiritual meaning, also resolves psychologically to the comfort of a no-stress relationship. People are increasingly stressed, I’d hope considering a wound here and there for the sake of less stress is worth it. End of digression.
Covid-19 in the governments’ arenas. We’ve had our share here in France as well and to what I read many other countries as well; perhaps Asia and South Korea in particular have had the quickest and most efficient government led decisions. In Europe Germany is the leader of the band, in countering the COVID-19 as well.
Digital privacy with government data managed with digital tools requiring a knowledge politicians may not have. That’ll remain a question as far as I’m concerned because I know nothing of the security environment applied to government data, to be frank. But I do know, like we all do, that a device connected to the Web in the hands of a neophyte is nowadays potentially explosive. When I worked, some forty years ago (and it didn’t last) for Honneywell-Bull (at the time) we’d say a monkey could hit the keypad without provoking logistic damage : no longer possible nowadays. We started computing (eighties) at a time when the initiation steps (at least for the no pros) were easy, this is no longer the case and starting with a computing device with zero knowledge is dynamite in terms of at least privacy given security is the big, the major approach of manufacturers, be it at the price of our very privacy.
There is undoubtedly no secret formula. Knowledge is a necessary condition but not a sufficient one. Awareness is necessary as well but, personally, I wouldn’t wish to take disproportionate behaviors, be it on the Net as in life, that would lead me to zero damage and zero happiness. Again, searching for an equilibrium is maybe not the easiest approach but, IMO, the wisest one.