Password Vulnerability In Firefox 2.0.0.5

Paris The Pirate writes "According to a message posted over the weekend on the Full-Disclosure mailing list, the latest version of Firefox, 2.0.0.5, contains a password management vulnerability that can allow malicious Web sites to steal user passwords. If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

Is this OS independent?

[sexybomber]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

Re:Is this OS independent?

[Compholio]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

I can confirm that it works on Linux.

Re:

[jsse]

I can confirm that it works on AmegaOS, Atrai, Sinclair ZX81 and PDP too.

Well...actually I can't. If you excuse me, I'll go back to my corner where I can dialog with my shadow.

Re:Is this OS independent?

[RealGrouchy]

I haven't RTFA (after all, this is Slashdot), but are all OSes equally vulnerable?

I can confirm that it works on Linux.

TFA, or the vulnerability?

- RG>

Re:Is this OS independent?

[Mr. Sketch]

From what I read, yes. It only exposes passwords for the site you're visiting. The most common case of this is on myspace, where visiting a malicious website will transfer your myspace username/password to the website owner. This vulnerability exists on sites that allow users to post custom html and javascript and will expose your username and password for that site.

This does not expose all your passwords, so if you have you bank password stored, it's safe, unless your bank has pages that allow users to post custom html and javascript.

Re:

[slagell]

Or unless you use the same password for myspace and a bunch of other places

Re:Is this OS independent?

[PPH]

Memo to self: Take my /. password, 'ImADork' off my bank account.

Re:

[Anonymous Coward]

I already changed your bank password for ya.

Dork.

Re:

[PPH]

Thanks, dude.

While you're logged on, could you send me a couple of bucks for the weekend? If there's anything left, that is.

Re:

[snowgirl]

You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head.

Granted my IMs all store my password, because I want them to log in automatically, but I just simply do not trust a webbrowser to keep any of my passwords.

Re:

[dougmc]

You know... this is one reason why I don't store ANY of my passwords for webpages anywhere but my head.

... which probably means that your your webpage passwords are probably all the same, or many are the same, or you just don't use many web sites that make you log in. Or you have superhuman memory, of course.

Which is worse? Keeping the same password everywhere, or risking that there might be a hole in your browser at some point? (Or that somebody might hack into your box and copy the entire password file.) I'll have to say the first.

Still, keeping your bank password (and other passwords that rea

Re:Is this OS independent?

[snowgirl]

Actually you're safe if you use a master password with your password manager.

Well this story kind of points out why obviously, this statement isn't necessarily true.

Oh really?

[jgoemat]

How are you safe?

1. Open browser
2. Click on MySpace bookmark
3. Enter master password to login to myspace
4. Visit joebob's page, which has javascript to steal your password
5. pwn3d

If you're on the site with the vulnerability, you probably already entered your master password to login, and you only have to do that once per session to use all of your passwords.

Re:

[snowgirl]

Ah, I generally use the website's password storage for that.

Of course, I love when I use a "I forgot my password" program and they email me my password. It's like, "Um..... thanks?"

I swear... seriously, everyone seems to have really poor password security, so I have a standard throw-away password for random sites that I don't particularly care if they go one way or the other.

Re:

[xsadar]

This does not expose all your passwords, so if you have you bank password stored, it's safe . . .

It may be safe from this particular vulnerability, but I would never consider a stored password to be safe.

Re:

[rapidweather]

..and allow Firefox to remember your passwords..

In Rapidweather Remaster of Knoppix Linux [geocities.com], my livecd linux distro, I always set up Firefox _not_ to remember passwords.
I put Firefox 2.0.0.5 in the Remaster [blogspot.com] just last week.
Also, when the user closes Firefox, I have it set up so the entire ~/.mozilla is deleted. I presume that is where any password would reside. In the event of a Firefox crash, the ~/.mozilla is not deleted without an OK from the user. There is a dialog box that comes up and asks "Did you want

Re:

[Simon Donkers]

I have enabled the master password and the proof of concept fails. It launches a window asking me for my master password before filling in any passwords.

Note that the master password on it's own still is not secure because you only need to type it in once until you restart your browser but combined with the add-on Master Password Timeout you are relatively safe. Just don't browse dodgy websites minutes after logging in.

Dupe?

[InvisblePinkUnicorn]

Three days ago: http://it.slashdot.org/article.pl?sid=07/07/20/125 2215 [slashdot.org]

Re:

[the.WZA]

Yes. It's a dupe.

Dupe? Of course!

[IBBoard]

Yeah, it's the same issue. On the plus side, they don't link to the same article (unless you count the fact that this one links to an article that links to the article from the old one)

Re:

[denttford]

Yeah, the title seems to indicate that there is a vulnerability with specific to the new FF release, but no. Same story.

Same solution (for FF) - which I got from a post in the previous story (thank you): Secure Login [mozilla.org].

Dupe? What else!

[haraldm]

Ohmygod. Dupes belong to the culture of Slashdot, they are the cherry on the cake for all the people who don't get a message at the first time, or who make a living pointing out dupes on /.

For what it's worth, messages with a subject ~ "*[Dd]upe*\!" are the most common dupes, and should be avoided at all cost.

We should stop pointing out dupes and start slashing non-dupes. That would reduce the traffic by at least 24.3% and would allow /. to postpone the next harddisk purchase by a month or two, or one c

Do not save passwords

[Normal Dan]

I never liked firefox's save password ability. It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

Re:Do not save passwords

[Mascot]

That's what the "Master Password" option is for.

Use a master password

        Firefox can protect sensitive information such as saved passwords
        and certificates by encrypting them using a master password. If you create a
        master password, each time you start Firefox, it will ask you to enter
        the password the first time it needs to access a certificate or stored
        password.

Re:Do not save passwords

[strobert]

In addition if you run with Noscript and Secure Login it really helps protect you. The former can let you disable javascript (and java/flash too) by default and only enable for sites you trust. The later makes it so that for remembered passwords firefox does not fill in the form. Instead it highlights the fields it would fill in and you have to hit the secure login button to post the form data. Makes it so that you know when you saved passwords are being used and bypasses the input flow so that keyloggers can't even record the data.

I would also recommend installing "Master Password Timeout" which will re-prompt you periodically for the password.

Re:

[LordKronos]

Did I detect a hint of sarcasm? Well then let me explain it for you.

Suppose you signup for online banking and setup a password. Then you signup for some stupid website and use the same password. The problem is, you don't know if you can trust that 2nd site with your online banking password. They may just be phishing for passwords. Or maybe they are honest but incompetent enough to store your password in the DB in plain text, conveniently waiting there for the next hacker to locate.

The solution: Use separate

Re:

[SleepyHappyDoc]

Write them all down? Thats a big no-no.

I really don't understand why this is considered insecure. My front door gets much fewer intrusion attempts than my firewall, and I have a very secure system in place there to restrict access (a deadbolt). If someone did break into my house and stole my password list, I'd know as soon as I got home, rather than having to wait until I see suspicious activity on my accounts. I get why keeping your work password on a sticky-note in your cubicle is a bad idea, but I don

Re:

[LordKronos]

Because my post wasn't addressing your specific scenario, but a general scenario instead. It might not be your personal banking password (which you use as home) that we are referring to. Instead, it might be passwords you use at the office, including internal accounts (email, accounting database, website administration), external business accounts(accounts with suppliers and other business partners, administering the retirement and health insurance plans, etc), and maybe even some personal accounts that you

Re:

[Mascot]

Passwords are personal, and they shouldn't be visible to anyone you happen to let use your computer for a second.

If you use the master password, they are not. Regardless of whether you have already been prompted for it, it will ask again if you try to reveal passwords in the list "show passwords".

Re:Do not save passwords

[dvice_null]

Passwords are not in plain text, but readable with Firefox.

You can set master password to truely encrypt them. But if you let people to access your harddrive, you can install keyloggers to steal the master password also. Or any password, no matter do you save it or not.

Re:

[Anonymous Coward]

It stores the password in plane text (at least it used to) for anyone with physical access to see if they know where to look (and it's not hard to figure out where to look). I have stolen many a passwords this way. It is worse than writing your password down and putting it in your desk.

Even worse, because it uses plane text, you are helping the terrorists, who can now hijack your passwords and fly them into skyscrapers!

Please Help!!

[The Real Normal Dan]

Very funny you jerk! You steal my password, then mock me on my slashdot account! Is there an admin around? -The Real Normal Dan

FUD

[jrumney]

Firefox's password file has never been in plain text, although if you don't specify a master password, the decryption key is stored in the same directory, so the encryption will only stop casual opportunists.

Re:

[suv4x4]

It stores the password in plane text

Shit, that's totally insecure! Way to go, Mozilla! [nationalskyads.com]

Re:Do not save passwords

[eln]

Pretty much all text is plane text. Unless it's 3 dimensional I guess.

Re:

[organgtool]

It stores the password in plane text

So your password is probably one of the entries here [xcski.com]

No Problem

[Mostly a lurker]

"... If you have JavaScript enabled and allow Firefox to remember your passwords, you are at risk from this flaw."

Will not effect me: I have a notoriously bad memory for passwords.

NoScript

[grub]

NoScript [noscript.net]
Repeat ad nauseum.

Re:

[Aladrin]

No joke, right? I forget the exact vulnerability that recently made me install NoScript, but there's been enough cross-site scripting, ajax, and stored-password exploits recently to make anyone paranoid.

Re:

[Aladrin]

It's like a condom... It's not there because it's necessary every time. It's there for the one time you really really need it.

Re:

[networkBoy]

Well... I guess it's better than a car analogy.
-nB

Re:

[Aladrin]

Crap. I'll try harder next time. Fix-a-flat maybe? Wouldn't need much change in the wording, either.

Re:NoScript

[Bacon Bits]

NoScript is a horrible fix for this, because NoScript and the password manager use the same method to determine what is safe: the domain name of the server.

If I go to, say, Blogspot.com with FF and I'm a member, I probably log in and save my password with FF. If I have NoScript and I visit the page frequently and post lots of comments, I also probably have blogspot.com on the trusted site list. If I go to a malicious blog (well, alright, a blog that exploits this vulnerability -- they're all malicious) then a) I'll be on a site that the password manager trusts and I'll be on a site that NoScript trusts.

Re:

[Kingrames]

Then don't go to blogspot.com.
If the website allows that kind of malicious behavior, then they need to change.

Re:

[Bacon Bits]

Yes, that's brilliant. I guess we don't need to worry about IE security flaws either, then? They have workarounds, too! Ah well, and /. has such fun railing MS for it, too.

Re:

[Bacon Bits]

And every site on the Internet is like this? They *all* use the FQDN to distinguish one page from another?

Re:

[LuSiDe]

I guess it could be exploited even through the sites you allow, though.

True, but you only add sites you trust which severely lowers the chances.

One can certainly save their passwords. Just don't save them directly in an monolithic application which is highly interactive with the Internet such as a web browser. Use something like a virtual wallet such as KDE's Kwallet (GNOME has a similar feature). This way you assign complex passwords (8 random characters, alpha-numeric, CaSe SeNsiTiVe) e.g. made with the c

Passwords in general

[the.nourse.god]

<sarcasm>And this is why I save all of my passwords in IE</sarcasm>

This is why we need something better that text passwords for authentication on the web. Most people can't remember all the passwords they use on every site they go to. To cope with this, Average Users do either one of two things - use the password remembering method in their browser of choice or use the same (weak) password for everything. Granted, there are some decent password management utilities out there, but your Average User would rather use a tool they already have.

Re:

[CBravo]

This is why we need something better that text passwords for authentication on the web.

Well you could use a USB stick which emulates a keyboard that can insert username/password combinations. Or you could use standard encryption methods... (signing, etc).

OpenID

[Poromenos1]

God, I wish everyone would just switched over to OpenID and be done with it. One password for everything? Sign me up! (Well, I already have). Now I'm just waiting/hoping it'll gain critical mass and start being implemented into every site.

Again?

[HouseArrest420]

How is this news again? If you have enough knowledge to post a slashdot article, its certainly not your first time here, and one would hope you saw the SAME issue from 3-6 days ago.

Stealing passwords? Hardly...

[goldspider]

This isn't theft, it's liberation! Information (including passwords) wants to be free!

Re:

[AndersOSU]

Not only that, but when they use the free passwords, it's not identity theft, it's identity infringement.

Re:

[jgoemat]

This isn't theft, it's liberation! Information (including passwords) wants to be free!

I assume you are making a dig at the anti-copyright crowd. The distinction you fail to see is that copyrighted works are published, letting recipients know exactly what is in them. It is merely the monopoly on copying and creation of derivative works that is protected by law in order to give the public an incentive to create new works. Passwords are opposite in that they are kept secret for a good reason. Also they p

NoScript

[Junior J. Junior III]

On the subject of Jasascript-enabled security holes, I use Javascript because so many sites depend on it, but block all scripts using NoScript until I decide to trust the domain of origin of the script. What I'd really like is a NoScript that will let me look at the script's source code before I decide to trust it, and allow/deny scripts on a per-script rather than per-domain basis.

That said, is there a good Add-on for Firefox that handles password-management more securely? Something that keeps them store

An extension to help you...

[Aleksej]

Secure Login [mozilla.org]

Re:

[e_AltF4]

Using it for some time and it seems to stop the vulnerability.

Recommended if you are lazy (as i am) and allow FF to manage your passwords.

Not so critical

[Klaidas]

Sure, it's a big issue, yet how many peope actually use the "remember my password" feature? I just usually check the "remember me" box near the login and password entering fields, or enter my passwords manually.

Re:

[compro01]

i use it at work, but all the sites i use it for are internal sites that aren't accessible from outside our network, so i don't see any issue for me.

Is it Firefox specific?

[140Mandak262Jamuna]

From what I understand, the user visits a site and the browser dishes out the remembered username password to that site. Whenever that site requests the username and password, the browser would do so. If the site allows anyvisitor to post javascript code and it incorporates such posted code as part of its own page, then the user too can use javascript to request the username/password and use javascript to phone home.

Now why any of it is Firefox specific? Any browser/ browser-helper-object /password help toolbar would do the same. If you have only one user name for a site, firefox will pre-fill the field. And the javascript can read it without a get or post. I would guess this behaviour of prefilling when the username is unique is probably a Firefox thing.

Generally sites that allow users to post javascript code would be dangerous and should not be visited. But I would not know a priori these sites.

Re:

[makomk]

Bingo! Notice that, in the demo, the password form and the malicious page are on the same domain. JavaScript's security model is not designed to protect against situations like this - even if Firefox only filled in the password on the actual password form and not the malicious page, the malicious page could just load up the password form in a frame and use cross-frame scripting to retrieve the password. This is a non-event.

Safari

[ens0niq]

Safari also vulnerable... [marc.info]

Re:Safari

[pherthyl]

Interestingly enough, Konqueror/KHTML (on which Safari is based) is not vulnerable (just tried the demo). It does password saving as well, but apparently have found a way to avoid the problem.

Trust

[BlueParrot]

a) If it is your machine you could just as well use a PGP encrypoted text file. If the website in question is still vulnerable, then it is a problem with the website, and changing browser won't help you.

b) If it is not your machine, or if you think your machine is compromised, then you really shouldn't be typing your passwords in it to begin with.

Seriously, find a strong passphrase and store the damn password list as a PGP encyrpted file on a USB pen drive. Only decrypt it on machines you trust. If you stil

the great law of computer security

[wikinerd]

The Great Law of Computer Security: Networked computers are insecure by nature. Everything that is stored within a networked computer can and will be compromised. Corollary: Always use a non-networked computer to store critical data, or better yet, no computer at all; a piece of paper inside your wallet is probably safer at most situations. Shortened version: Distrust all computers.

Not the only issue

[the_womble]

I have found all versions of FF from 1.0 to 2.0.0.4 tend to sometimes store a password unasked, and then automatically fill in the password (but not the username) on my next visit to the site.

I have never heard of anyone else having this problem, and I cannot reliably reproduce it, but it does happen occasionally.

never need to remember unique passwords per site

[speculatrix]

I am shamed to admit but I used to use the same password on many sites, only using unique passwords for those I regarded as important. It was only when at one job the employer terminated the employment of many staff (financial problems) and we were forced to leave the building without returning to our desks that I realised that saving passwords on a work computer was not a good thing (my then former colleagues would have had access to my password saves in firefox and thus access to my default pass).

Since

Stupid Design

[Slashdot Parent]

Is there some reason that Firefox thought it was a good idea to automatically populate passwords for the user?

It just seems to me like better design to require some sort of user interaction before coughing up a password.

Master Password

[Bellum Aeternus]

Since disabling JavaScript really isn't an option these days, I guess my question is: Do using a Master Password (like I do) really protect you and will somebody from Mozilla comment, please. Seriously, since the advent of an integrated Master Password I've been letting my web browser remember passwords for me, but really put a dent in my confidence.

How to solve this

[Random832]

How to solve: Do the opposite of what's done with input type=file
With input type=file, the script cannot write the value, and changing it to this from another type clears the value. With input type=password, have it so that changing it _from_ password _to_ another type clears the value, and so that the script cannot _read_ the value.

Learn more about this exploit

[giminy]

This exploit involves users visiting a malicious website. To learn more about this exploit, click here [p0wn3d.com].

Like I'm dumb enough

[Master of Transhuman]

to allow any APPLICATION to remember my passwords...

That's what my brain is for. And for those of you without brains - and you know who you are - there are encrypted password managers for that.

Sorry to come in late but there catch to this

[Allnighterking]

IF you password protect your master password list then when you go to the "evil page" it will pop up a window asking for your master password. Furthermore to protect yourself even more you can install this plugin Master Password Timeout [mozilla.org] and set your password to time out after a very short period of time. This way every page you go to during your session that has a login you will have to enter you master password again anew.

Is this a fix. No. Does this work on all OS's yes.

Re:Password Remember Function

[SatanicPuppy]

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

Like anywhere else, you need to make a trade off between usability and security. Sure, it's not perfectly secure, but it's not worth it to me to have to remember the one off junk password I made up for NYTimes.com.

The real issue, as usual, is javascript. I use "NoScript" and am careful about which sites I allow to execute scripts at all. That will do more for your security than anything else.

Low security passwords

[benhocking]

Eh. Depends on what passwords you set it to remember. There are a ton of BS passwords that I don't give a damn if someone steals.

Absolutely. My Slashdot password, for example, is one that I allow Firefox to remember. Er, not that I'm claiming Slashdot is BS or anything. ;)

Re:

[mdm-adph]

Same for me -- important passwords, like my bank's online account access, I never allow anything to save, not even Firefox.

Re:

[Vexorian]

I actually think gp is right to one extent.

For the sites I don't care about I use the same generic old password that I have used from 2003, I mean, if they are stolen I just risk a bunch of of dummy email addresses and other crappy services I don't really care too much about. For the things that matter I keep though and strong passwords that I better remember and not "write them down" or let a browser keep them... Often things that matter are just 3 so memory is not an obstacle...

Re:

[bahwi]

Meh, if someone has access to my computer physically anyways they can get all my passwords by installing a keylogger anyways. The vulnerability only affects the sites that let people post custom html/javascript. Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

Re:Password Remember Function

[eck011219]

There are a couple issues here. First of all ...

Those sites are just social sites like myspace and other stuff and who cares if someone gets your password for that.

You'd probably begin to care after someone "hacks" your MySpace page and posts distasteful or illegal language or images. Explaining all of that to a police officer or a judge and jury is rife with peril.

But the other point I think is pertinent here is that Firefox is really going for the common man crowd -- you don't buy a full-page ad in the New York Times if you want only geeks. So knowing that the average joe will be using Firefox and will happily save sensitive information if encouraged to do so (as one is with Firefox), that particular feature really has to be pretty rock-solid (or at the very least, not vulnerable to a pretty basic and classic javascript exploit).

Don't get me wrong -- I love Firefox and use it almost exclusively. But this is the kind of thing that, whether truly a hazard to most users or not, can scare people away if it is carelessly presented to the public. Or if it really is a risk.

Re:

[eck011219]

You're right -- I'm not arguing anything on behalf of other browsers (particularly IE -- as a guy who lives and breathes CSS all day, that alone has me hating IE). I'm just saying that the anyman's browser needs to provide protection IF it offers it. You could certainly make the password saving function an option you turn on instead of have to turn off. But that kind of hides it from new users who don't know where to look (or that there's anything to look for). I think better encryption defaults (like the c

Re:Password Remember Function

[Tridus]

I knew Post It Notes were more secure!

Re:Password Remember Function

[DigitAl56K]

Who modded the parent post "Insightful", and why? It is a one line blanket statement cast against millions of people without discussion or foundation. I hope someone takes away your mod points.

If you use many websites that require you to log in you don't have many options. You could use one password for all of them, in which case a breach on one account by an attacker essentially breaches all other accounts that they discover, or you can use unique passwords on each site, in which case it soon becomes impossible to remember them all accurately - especially for sites that you don't use very often. Additionally, some sites have rules around the number of upper case characters, special characters, digits, etc. in passwords, and these can be particularly difficult to remember.

Certainly people are foolish if they store logins for bank accounts and the like in the password manager, but most people only have one or two really important logins.

People who use the remember passwords functions are not idiots. People who expect the "remember passwords" functionality to be secure are not idiots either - if an application used by millions includes such functionality one would expect the developers to have secured it.

Re:

[Anonymous Coward]

Why do idiots still spread the FUD that it is bad or a "security threat" to use their credit card online? You are perfectly safe. If someone does steal and use your number you are only responsible for the first $50, and every bank I've ever dealt with if waive that. Idiots like you are the reason it took me so long to convince my mom not use use PERSONAL CHECKS an eBay. Because of the FUD about credit cards, I had a hard time explaining to her that they were MUCH safer than checks! You are MORE vulnera

Re:

[dwater]

> You are MORE vulnerable using your credit card in a "real" store than online.

Care to back that up?

Re:

[LoverOfJoy]

Why must every decision either be the best, most secure, or one made by an idiot? Aren't there decisions that may not be the ideal or may have some downsides to that aren't made by idiots?

Or Firefox for that matter

[benhocking]

<satire>All the truly intelligent people use Lynx.</satire>

Wimp

[missing000]

Real men use telnet for every IP session.

Re:Wimp

[dattaway]

telnet is for weenies.

netcat is for men.

Re:Wimp

[Anonymous Coward]

i just attach the cables to my nipples and decode the packets manually.

Re:Wimp

[rleibman]

i just attach the cables to my nipples and decode the packets manually.

Yeah, but can you generate outbound traffic?

Re:

[LordEd]

Outbound traffic is sent back on a different port.

Re:

[uradu]

> decode the packets manually

Manually?! Wouldn't your hands be otherwise engaged?

Re:

[grub]

I'm going log in to your email and send your mother all the gay porn I can find.

That would be found in a tarball of your home directory.

Re:

[BlueParrot]

link?

Re:

[networkBoy]

ftp://127.0.0.1/home [127.0.0.1]

Re:

[Vexorian]

It also means that bugs get fixed faster and that if mozilla stops supporting a platform someone else can, and that we can have things like swiftfox available, so I think it is a good trade.

But security through obscurity doesn't really work too well anyways...

Re:

[IBBoard]

Possibly, but how many bugs have been exploited in Firefox because of being able to view the source code and how many would have been picked up by a closed-source 'fuzzing' anyway?

This one was a "how the browser works" based on visible behaviour, so it would have been found in a closed-source app as well.

Re:You can always do this kind of stuff with cooki

[adnonsense]

Err, I don't know about myspace, but any half-decently programmed website (hopefully the majority) won't be storing anything in your cookies other than trivial configurations preferences and a session key. Certainly not your password. While it's possible to hijack the session by reading the session key (and there are ways of preventing that on the server side too), that won't get you the user's password. Unless the site in question is incredibly badly programmed, in which cae you're probably lost anyway.

Re:

[Random BedHead Ed]

I'm not entirely sure it is the site's responsibility. Or rather, who you choose to blame depends a great deal on how much you value your passwords. This warning inherent in this vulnerability isn't really intended for webmasters, but rather for browser users. And even if as a browser user you think you're safe, keep in mind that sites get hacked. Even if you trust a site, anyone who hacks it can start harvesting login credentials. Scary.

Re:

[timrichardson]

This is a very late post, but changing this setting will help:
http://kb.mozillazine.org/Signon.prefillForms [mozillazine.org]

IN firefox, enter
about:config
type prefill to seach on this term, and double click the entry above to go to false.

You will then have to double click on a field before password manager provides any input to the page.