Is it a bug or a feature?<p>Depending on the exact wording, I completely expect the browser to suggest the same password for the same website in the same session for the same user.<p>Websites are crap and sometimes you need to enter the same password twice before the browser has gotten the notice to actually save the first one.
And here<p><a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1786712" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1786712</a><p>This is sort of a ridiculous bug, tbh. What rationale could this be "currently by design"?
Most recent issue that tracks this is <a href="https://bugzilla.mozilla.org/show_bug.cgi?id=1551723" rel="nofollow">https://bugzilla.mozilla.org/show_bug.cgi?id=1551723</a>
This is pretty absurd and goes against every expectation I'd have of a password generator. The only reason I can think of it being useful is if the site has a separate screen for a confirm password field, but even then the password should be saved in the password manager the first time it is submitted.
If you are on a UN*X Type system, you can create your own random passwords very easily.<p>tr -cd "[:alnum:]" < /dev/urandom | fold -w 20 | sed 10q<p>So I have no need for these fancy password generators :)
This is quite easy to reproduce. Wow.<p>IMO they should just remove the password generator feature. It's barely usable, and with this behavior it's just dangerous.<p>Why barely usable? Some really simple features are missing. I miss the ability to specify password requirements - for annoying sites which specify length, require so and so many these and those types of characters, or even forbid some types. And another one is that it's not possible to manually generate a password, not even in the password storage UI, when manually adding a new entry. So, if a site did not correctly declare a password field, which happens, you must generate a password yourself somehow.
Has anyone the time to do a code review on that: I would not be surprised if there's even less entropy in Firefox generated passwords than the bug report might indicate (e.g. just uses time and domain as random seed).<p>If that's the case it would make a new "named" vulnerability (FOXHOLE, FIREBLEED, whatever).