Firefox 3.0.2 just came out this week, but it’s going to be replaced next week due to an unforeseen Password Manager bug.
The bug actually restricts users from accessing some of their passwords for IDN – international – domains and non ASCII characters.
“There is no permanent dataloss, the saved data is just inaccessible,” Mozilla developer Mike Belztner wrote in a mailing list posting. “While this doesn’t affect all Firefox users, it is a significant regression and has triggered a fast-release Firefox 3.0.3 which will contain a single fix for this issue.”
The Password Manager in Firefox 3.x overall was a re-write from the one that was in Firefox 2.x that had experienced a few security issues. Though I know that Mozilla has gone to great lengths to secure Password Manager – I personally don’t use it (I’m a little paranoid that way).
Passwords are often the weak link in security, either in terms of password length or the simple fact that they can be guessed or reset easily (look at Sarah Palin after all). I’d like to see the day when two-factor authentication is mainstream and passwords are only one line of defense and not the only one for most website based user authentication.