How to fix password saving exceptions for good?
Hello! I am running out of ideas.
I do the IT support for my dad (85+ years): Firefox 70.0.1 64 bit on Windows 10 Home 64 bit, all up to date. He has various passwords saved in FF, but I specifically instructed FF to exempt the sites he uses for Online Banking sites from saving passwords.
"Access & Passwords" > Exceptions: sites listed (entered by clicking "NEVER save" when asked on login).
I have FF delete all data upon closure:
"Delete history when FF is closed" all EXCEPT for "Website Settings" (which I learned would also kill the password save barrier)
Now, I don't know what my dad does; every time I check after a week these settings are gone and FF is happily back, offering the saved login details to his Online Banking sites, also the Exception list is empty. My dad cannot say what he did to change this and maintains "he didn't do anything" (see also: typical IT support customer statements). Sometimes I find he has even reinstalled FF for no good reason (which I can see in the Apps bar). But this should not affect the Profile settings, and even if he should have agreed to delete profile data: the bookmarks are still there, so it's not all gone.
For now I have deactivated FF from saving any passwords, which is the safe choice when Online Banking is involved (no, my dad won't agree to close the Online Banking Account altogether go to the bank). But this creates new problems with all the other less sensitive sites where he needs to enter passwords (newspaper sites etc.), which he misplaces and keeps on resetting them (to passwords which he will again not remember the next time round).
My next thought was to set permissions.sqlite to read-only, as I found this is where FF stores the exception list. Unfortunately, I realized that FF apparently updates this file every time it's run and ignores it if it finds it is out of sync with what it expects, returning to the clear sheet. So this doesn't help.
I guess I could set up an autorun batch file to delete the profile directory and restore a golden reference directory, but this could be error-prone too.
So I was wondering if the community can point me to a way to permanently fix a given list of Password-Save-Exceptions which cannot be altered by the user? Something like a config setting, available or hidden?
Thanks for any advice or pointers, Akebinko
All Replies (10)
Firefox allows you to securely
store usernames and passwords
for websites in its Password Manager.
When you visit one of the websites again,
Firefox automatically fills in the
username and password to log you in.
If you need to find out what your password is for a specific website for
which you saved your logon information, you can easily do so. To view your saved passwords in Firefox,
select Options from the Firefox menu.
https://www.howtogeek.com/111555/view-and-delete-stored-passwords-in-firefox/
I think this help for you, thank you :-)
Dinushi, thanks for your attempt to address this issue.
It's unfortunate that I did not make clear enough that I am aware of the trivial steps to display and delete stored passwords. Of course I did that before setting up the password save shield again. In fact it's the obvious and first thing I do when I start up Firefox and find it it offering the filled-in login details.
Hoping for the community to address the actual question I put.
Regards, Akebinko
Is your father changing the settings to remember the passwords?
FredMcD,
ss I wrote: he claims he did nothing of the sort.
And I don't think he goes into the settings. Even if he did, it would not be easy to find this setting. Mozilla made a good job of making this very intransparent over the past years' releases even for me who works in IT support.
I have a hunch that my dad may be offered an option to reset Firefox and just clicks it, not knowing what it does. Or chosses reset with addons disabled and resets FF (not probable though as the addons are still around).
Regardless, I am asking y'all for a way to make the exception list more permanent so that it cannot be edited/cleared.
Regards, Akebinko
Is this only about block exceptions for specific hosts (domains) and do you want to allow storing passwords for other domains?
I don't think that it is possible to lock exceptions, so even if you would force an exception when you start Firefox it would still be possible to go to the exception manager window and remove the exception or clear the Site Preferences via "Clear Recent History".
See:
Note that you need to disable the sandbox via autoconfig.js to be able to run JavaScript.
// autoconfig.js needs to start with a comment line and uses Unix line endings (LF) pref("general.config.filename", "autoconfig.cfg"); pref("general.config.obscure_value", 0); pref("general.config.sandbox_enabled", false);
// autoconfig.cfg needs to start with a comment line Components.utils.import("resource://gre/modules/Services.jsm"); var origin = "https://example.com"; Services.logins.setLoginSavingEnabled(origin, false);
Hi TyDraniu,
this is an interesting list of policies, thank you.
As I understand these are used when deploying FF to clients, e.g. in an enterprise environment. This could apply e.g. if I chose to reinstall FF on every startup (rather than simply copy a profile from backup) and have FF build the profile with profile settings defined by these policies. I think this solution is even more complex.
Also, only a fraction of these policies are usable for the 70.x release. Of course I can revert to 68esr (which I myself use on my own PC to leave the multiple addons I choose to use a bit more time to live before yet another FF release change disables them) but even then most policy entries stop at 60.
OfferToSaveLogins only works up to FF 60. The closest I can find with respect to my task is OfferToSaveLoginsDefault (up to 70), but I assume this will only switch Logins to On and Off and they can still be changed later on. I am confident that my switching off password saving manually will do the trick fro now, since I don't trust my dad to venture into settings-land.
I hoped there was a hidden config key which I could use in a similar way in Firefox as I can use a registry key in Windows 10 to lock the Windows 10 task tray and prevent my dad from pushing that around (URL to a German webpage on the matter ) .
Regards, Akebinko
Policies should work for all Firefox versions (ESR 60 and ESR 68 and releases including the current release ) above the minimum that is specified although some policies may only work on ESR and not on the release channel.
Hi cor-el!
cor-el said
Is this only about block exceptions for specific hosts (domains) and do you want to allow storing passwords for other domains?
exactly!
Thanks for the pointer to autoconfig. I will take a look at it and see if and how I can use it.
Also thanks for correcting my assumption that policies hold for a minimum, not maximum version!
I believe the autoconfig is the way to go...
Regards, Akebinko
It is possible to hide the button to open the exception window with code in userContent.css.
@-moz-document url-prefix(about:preferences) { #passwordExceptions { display:none !important; } }
- https://www.userchrome.org/what-is-userchrome-css.html
- https://www.userchrome.org/how-create-userchrome-css.html
In Firefox 69 and later you need to set this pref to true on the about:config page to enable userChrome.css and userContent.css in the chrome folder.
- toolkit.legacyUserProfileCustomizations.stylesheets = true
- https://www.userchrome.org/firefox-changes-userchrome-css.html
Note that you can set this pref via autoconfig.cfg.
- lockpref("toolkit.legacyUserProfileCustomizations.stylesheets", true);