User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030612 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.4) Gecko/20030612 Mozilla should remember the password in forms as-of onsubmit, not post onsubmit: To improve security for non-https connections, we have implemented a md5 javascript login feature. Upon submit of the form, the password entered is changed to the md5sum of the password entered, and sent. Remember password then remembers the md5sum, not the value in the form as-of onsubmit. A different implementation, that takes the entered password, md5sum's it, and puts it into a second variable, and then clears the password value has similar problems - Mozilla remembers the cleared password value (the changed value post-onsubmit). The only alternative left is to leave the password in its original form, which results in transmitting the password in cleartext.. a problem we were trying to prevent. Reproducible: Always Steps to Reproduce: 1. Sign up for player account 2. Type in username and password (have it remember password) 3. Notice password gets converted to md5sum 4. Logout 5. Relogin Actual Results: Password field is auto-filled with md5sum Expected Results: Password field should be auto-filled with pre-onsubmit password.

Please note that this often-seen-on-the-web procedure is totally useless if your goal is to prevent sniffing the password on the wire. Any bad guy would of course sniff the md5sum and retransmit it in order to gain unauthorized access, without the need of knowing the original password. Essentially, the md5sum *is* the cleartext password. The only use of such procedure is to keep a server admin from accidentally seeing a password that a client might also use for other purposes. For more security, use at least HTTP digest authentication as described in RFC 2617. You might also consider basic auth over HTTPS.

No, this is wrong. A carefully-written JS would include a timestamp to prevent replay attacks. HTTPS connections would require a certificate, which such scripts work around. (Self-signed certs are not trusted and issue a warning which would be bad in some situations.)

Just a thought, but this bug looks like a duplicate of bug #235765.

*** Bug 235765 has been marked as a duplicate of this bug. ***

bug 235765 is not a dupe, Firefox has its own password manager implementation.

This bug should have been fixed by the non-passwordmanager specific changes in bug 257781. (at the same time, it has caused the regression in bug 343182)