Master tracking bug for all Password Manager security issues. Adding some existing bugs here. Will file more and do a clean up of the below (to resolve duplicates) 759860, 534541 - Don't autofill username and password 748193 - Add a warning for insecure password fields 653132, 443345 - Secure Filling

Bug 360493 - check the form action's hostname hasn't changed from the time you saved the password. This was an issue with sites that reflected user generated content and allowed their users to inject <form> element. This was fixed, adding it as a dependent here for completeness.

Bug 1118511 - Don't autofill username and password Bug 748193 - Add a warning for insecure password fields (in general) Bug 1118558 - Add a warning for insecure password fields in the saved logins UI Bug 1118540 - Secure Filling Bug 1118549 - Encrypting passwords stored by the Password Manager Bug 1118553 - Flag duplicate passwords in Password Manager UI Bug 360493 - Use the hostname of form action as part of the key when saving passwords (already done)

I'm appending this to our Password Manager 2015 tracking bug, to give people working on that visibility into what sort of security improvements we're thinking about.