You log out of a site (manually or it logs you out after a period of inactivity) but don't properly lock your machine when walking away, or put your phone down unlocked, etc.: someone can now access that site as you even though you were logged out. Worse, that can take the password away and use it at a later time on an entirely different device.
It could be argued that if you don't logout/lock devices properly then you are unlikely to log out of sites, but the principal of security in depth requires accounting for partial use of best practise not all-or-nothing.
Also as described in the bug, you could accidentally create multiple accounts with the same password if you are creating or resetting accounts for multiple people (i.e. you are performing some sort of admin role in relation to local users of the site in question).
I can see the usability argument for the feature “behaving as designed” because often when a password cycle is required you have to enter it two or three times (once to set, once to confirm you didn't mistype that first one, then some password reset procedures don't leave you with a valid session so you need to immediately log in again with the new password), but it does strike me as one of those places where paranoia should trump usability.
> you can do the same with any password manager. If you don't lock your "vault" any of your passwords are exposed
True, but:
1. People are aware of that, it is an expected threat vector so at least a little less likely to be an issue. The behaviour of the FF password generator function is unexpected (to many) so is a hidden potential problem.
2. Good password managers have the option to auto-logout after inactivity which can mitigate an attack if not performed quickly.
3. Other similar attack vectors existing does not mean this one shouldn't be considered for closure, or if not closing by changing the behaviour perhaps instead adding a warning.
It could be argued that if you don't logout/lock devices properly then you are unlikely to log out of sites, but the principal of security in depth requires accounting for partial use of best practise not all-or-nothing.
Also as described in the bug, you could accidentally create multiple accounts with the same password if you are creating or resetting accounts for multiple people (i.e. you are performing some sort of admin role in relation to local users of the site in question).
I can see the usability argument for the feature “behaving as designed” because often when a password cycle is required you have to enter it two or three times (once to set, once to confirm you didn't mistype that first one, then some password reset procedures don't leave you with a valid session so you need to immediately log in again with the new password), but it does strike me as one of those places where paranoia should trump usability.