On Wed, Jan 28, 2015 at 2:17 PM, Richard Newman <[email protected]> wrote:
> >> - One less password: the password you use to sign into FxA, and to >> unlock the vault, is one and the same. >> - Recoverable: should you ever forget your vault password, you can >> recover it via email (on your Mac or 1Password, if you forget your Master >> Password, you’re hosed) >> - >> >> It might be worth clarifying here that you can't actually recover the > password from FxA. You can recover access to the same *kA* by resetting > your password, at the cost of losing any data that was encrypted with kB > (e.g., the contents of your Sync account) and re-entering your password on > each of your devices. > > Avoiding these kinds of pitfalls are why key escrow was suggested earlier > in this thread. It's really hard to be clear about exactly what these > things mean, so maybe you meant something else — if so, please do clarify! > > Recoverability means either using kA, or using some stable value that's > wrapped with kA and stored somewhere. > > >> Of course, you can also say “My vault don’t need a password to unlock >> it”. I suspect that most people who uses their own machine don’t want to >> bother entering a password in order for Firefox to autofill. >> > > Somewhere between 98% and 95% of Firefox users, last I checked, yeah. > > We need to look at these percentages in release and correlate them with Firefox usage hours. I really only care about these percentages in heavy, medium users, and light users. I don’t care about lapsed users, i.e., < 10 mins a day. These are a large chunk of users and I don’t want them skewing data.
_______________________________________________ Dev-fxacct mailing list [email protected] https://mail.mozilla.org/listinfo/dev-fxacct
