🆕 Software Suggestion | Firefox Lockwise #2337

New Issue

2021-06-09T14:42:46Z

youdontneedtoknow22 commented

2021-06-09 14:42:46 +00:00

(Migrated from github.com)

Basic Information

Name:
Firefox Lockwise

Category:
Password managers

URL:

Description

I believe Firefox lockwise should be recommended as a password manager. Syncs are e2e encrypted, Passwords saved in the cloud are also encrypted. It doesn't require addons (like Bitwarden and KeepassXC), and is easy to use for most people on all platforms (you don't even have to use an external app to access the passwords from your phone for example, it's all in your firefox account in the firefox app on your phone). Most people tend to to save their passwords in their browsers, we just need to make this more private and secure.
The only 2 things I would recommend are:
1- When signing up for a Firefox Account, enable 2FA
2- Using a masterpassword on desktop. In case the device got comrpomised, this will prevent tools that grab passwords (WebBrowserPassView from Nirsoft for example) from seeing and extracting the passwords. I'm not aware of any methods that can bypass the masterpassword. (For example even if a keylogger was used to log the masterpassword, I'm not aware of methods that can be used to utilize that masterpassword with WebBrowserPassView).

Why I am making the suggestion

Most people tend to to save their passwords in their browsers, we just need to make this more private and secure.

My connection with the software

None.

I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

## Basic Information **Name:** Firefox Lockwise **Category:** Password managers **URL:** ## Description I believe Firefox lockwise should be recommended as a password manager. Syncs are e2e encrypted, Passwords saved in the cloud are also encrypted. It doesn't require addons (like Bitwarden and KeepassXC), and is easy to use for most people on all platforms (you don't even have to use an external app to access the passwords from your phone for example, it's all in your firefox account in the firefox app on your phone). Most people tend to to save their passwords in their browsers, we just need to make this more private and secure. The only 2 things I would recommend are: 1- When signing up for a Firefox Account, enable 2FA 2- Using a masterpassword on desktop. In case the device got comrpomised, this will prevent tools that grab passwords (WebBrowserPassView from Nirsoft for example) from seeing and extracting the passwords. I'm not aware of any methods that can bypass the masterpassword. (For example even if a keylogger was used to log the masterpassword, I'm not aware of methods that can be used to utilize that masterpassword with WebBrowserPassView). ## Why I am making the suggestion Most people tend to to save their passwords in their browsers, we just need to make this more private and secure. ## My connection with the software None. - [x] I will keep the issue up-to-date if something I have said changes or I remember a connection with the software.

ph00lt0 commented

2021-06-09 17:12:38 +00:00

(Migrated from github.com)

Please tell me if anything of this has changed. I have quite a few concerns with recommending Lockwise.

By default passwords are not encrypted on the device, encryption is only used for syncing.
A master password can be set but you will need to do this on any device separately. This password is only used for encryption locally.
There is no auto log out, meaning that sessions fetching passwords will exist for ever. Is it even possible to 'wipe'/de-auth devices?
Mobile app does include trackers (MozTelemetry and Adjust Analytics) and this is not opt-in as required by GDPR https://reports.exodus-privacy.eu.org/en/reports/mozilla.lockbox/latest/
~~I tried this app some time ago, and from what I could see it was impossible to add credentials on mobile manually.~~ I see this has been resolved

Please tell me if anything of this has changed. I have quite a few concerns with recommending Lockwise. 1. By default passwords are not encrypted on the device, encryption is only used for syncing. 2. A master password can be set but you will need to do this on any device separately. This password is only used for encryption locally. 3. There is no auto log out, meaning that sessions fetching passwords will exist for ever. Is it even possible to 'wipe'/de-auth devices? 4. Mobile app does include trackers (MozTelemetry and Adjust Analytics) and this is not opt-in as required by GDPR https://reports.exodus-privacy.eu.org/en/reports/mozilla.lockbox/latest/ 5. ~~I tried this app some time ago, and from what I could see it was impossible to add credentials on mobile manually.~~ I see this has been resolved

youdontneedtoknow22 commented

2021-06-09 18:32:22 +00:00

(Migrated from github.com)

Please tell me if anything of this has changed. I have quite a few concerns with recommending Lockwise.

1. By default passwords are not encrypted on the device, encryption is only used for syncing.

2. A master password can be set but you will need to do this on any device separately. This password is only used for encryption locally.

3. There is no auto log out, meaning that sessions fetching passwords will exist for ever. Is it even possible to 'wipe'/de-auth devices?

4. Mobile app does include trackers (MozTelemetry and Adjust Analytics) and this is not opt-in as required by GDPR https://reports.exodus-privacy.eu.org/en/reports/mozilla.lockbox/latest/

5. ~I tried this app some time ago, and from what I could see it was impossible to add credentials on mobile manually.~ I see this has been resolved

This is correct. That's why I recommended using a master password
That's "kind of" correct. On Android Phones, I can't access the passwords without using Biometrics (I use Biometrics for my Phone). So on Android, it's already a default, but still done locally. On Desktop, it's not default. So yeah, we still need a master password.
That's probably not correct if I understood it correctly.
Once the user opens the browser, he'll be asked to enter the master password once. This will be used for the auto-fill feature. That's what normal users need. Once the user close the browser, this needs to be done again.
I tried using the WebBrowserPassView from Nirsoft even after I typed my master password. I still couldn't extract any saved passwords. The only way to extract the passwords was by disabling the master password completely.

The only way to copy or show passwords, is to go to the "Passwords" tab in the browser. Then you need to enter the master password, so the user can access the database, containing websites, usernames and encrypted passwords. And then when copying or showing any password, the user needs to enter the master password once again. As soon as you close the password tab (just like closing your password manager), you need to do the same process again.

I also just checked in my Firefox Account. I can "Log out" devices that are logged in, if that's what you mean with de-auth devices.

I'm not aware of that. The App would only be necessary if the user wants to manually add new passwords to firefox. Using the browser, I'm capable of viewing my passwords, copying and modifing them.

> > > Please tell me if anything of this has changed. I have quite a few concerns with recommending Lockwise. > > 1. By default passwords are not encrypted on the device, encryption is only used for syncing. > > 2. A master password can be set but you will need to do this on any device separately. This password is only used for encryption locally. > > 3. There is no auto log out, meaning that sessions fetching passwords will exist for ever. Is it even possible to 'wipe'/de-auth devices? > > 4. Mobile app does include trackers (MozTelemetry and Adjust Analytics) and this is not opt-in as required by GDPR https://reports.exodus-privacy.eu.org/en/reports/mozilla.lockbox/latest/ > > 5. ~I tried this app some time ago, and from what I could see it was impossible to add credentials on mobile manually.~ I see this has been resolved 1. This is correct. That's why I recommended using a master password 2. That's "kind of" correct. On Android Phones, I can't access the passwords without using Biometrics (I use Biometrics for my Phone). So on Android, it's already a default, but still done locally. On Desktop, it's not default. So yeah, we still need a master password. 3. That's probably not correct if I understood it correctly. Once the user opens the browser, he'll be asked to enter the master password once. This will be used for the auto-fill feature. That's what normal users need. Once the user close the browser, this needs to be done again. I tried using the WebBrowserPassView from Nirsoft even after I typed my master password. I still couldn't extract any saved passwords. The only way to extract the passwords was by disabling the master password completely. The only way to copy or show passwords, is to go to the "Passwords" tab in the browser. Then you need to enter the master password, so the user can access the database, containing websites, usernames and encrypted passwords. And then when copying or showing any password, the user needs to enter the master password once again. As soon as you close the password tab (just like closing your password manager), you need to do the same process again. I also just checked in my Firefox Account. I can "Log out" devices that are logged in, if that's what you mean with de-auth devices. 4. I'm not aware of that. The App would only be necessary if the user wants to manually add new passwords to firefox. Using the browser, I'm capable of viewing my passwords, copying and modifing them.

ph00lt0 commented

2021-06-10 17:06:17 +00:00

(Migrated from github.com)

Thanks for the response.

The concern here is about desktop clients, not talking about android here as the app (hopefully), I am assuming here, uses the encrypted storage.

That's "kind of" correct. On Android Phones, I can't access the passwords without using Biometrics (I use Biometrics for my Phone). So on Android, it's already a default, but still done locally. On Desktop, it's not default. So yeah, we still need a master password.

I think this is a problem. Lockwise is used to autofill passwords in other apps, if it can't do that without violating users privacy I really don't feel like this should be recommended. Just having the passwords in the browser doesn't sounds like a proper solution to me.

I'm not aware of that. The App would only be necessary if the user wants to manually add new passwords to Firefox. Using the browser, I'm capable of viewing my passwords, copying and modifying them.

I have been thinking about it more. Personally I would never recommend people to log in to Firefox. Although it might be easier, this syncs a lot of data to Mozilla (history, cookies, bookmarks etc)(I am aware you could switch off certain things).

All in all recommendation would require have a explanation on how to use it, therefore my conclusion would be that using Bitwarden is a far better option.

Thanks for the response. The concern here is about desktop clients, not talking about android here as the app (hopefully), I am assuming here, uses the encrypted storage. > That's "kind of" correct. On Android Phones, I can't access the passwords without using Biometrics (I use Biometrics for my Phone). So on Android, it's already a default, but still done locally. On Desktop, it's not default. So yeah, we still need a master password. I think this is a problem. Lockwise is used to autofill passwords in other apps, if it can't do that without violating users privacy I really don't feel like this should be recommended. Just having the passwords in the browser doesn't sounds like a proper solution to me. > I'm not aware of that. The App would only be necessary if the user wants to manually add new passwords to Firefox. Using the browser, I'm capable of viewing my passwords, copying and modifying them. I have been thinking about it more. Personally I would never recommend people to log in to Firefox. Although it might be easier, this syncs a lot of data to Mozilla (history, cookies, bookmarks etc)(I am aware you could switch off certain things). All in all recommendation would require have a explanation on how to use it, therefore my conclusion would be that using Bitwarden is a far better option.

👍 1

lolrepeatlol commented

2021-06-14 02:28:26 +00:00

(Migrated from github.com)

I have been thinking about it more. Personally I would never recommend people to log in to Firefox. Although it might be easier, this syncs a lot of data to Mozilla (history, cookies, bookmarks etc)(I am aware you could switch off certain things).

Everything synced in your Firefox Account is end-to-end encrypted and has always been end-to-end encrypted.

https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

> I have been thinking about it more. Personally I would never recommend people to log in to Firefox. Although it might be easier, this syncs a lot of data to Mozilla (history, cookies, bookmarks etc)(I am aware you could switch off certain things). Everything synced in your Firefox Account is end-to-end encrypted and has always been end-to-end encrypted. https://hacks.mozilla.org/2018/11/firefox-sync-privacy/

freddy-m commented

2021-06-21 13:12:53 +00:00

(Migrated from github.com)

I see little reason to list this @privacytools/editorial

👍 2

youdontneedtoknow22 commented

2021-07-02 12:29:51 +00:00

(Migrated from github.com)

You don't need to install an addon on your browser:
less fingerprinting, smaller attack surface, less ram and cpu usage (which lots of people complain about in firefox, I just saw a reddit post about it in your subreddit, check the extensions the guy listed) & you don't trust a 3rd company with your passwords
It's more likely that people will use Firefox lockwise with my tweaks (basically setting a master password and enabling 2FA to your account), than installing Bitwarden and their addon on all their devices.

And I'm not saying it should be a first recommendation, but rather the third.

1. You don't need to install an addon on your browser: less fingerprinting, smaller attack surface, less ram and cpu usage (which lots of people complain about in firefox, I just saw a reddit post about it in your subreddit, check the extensions the guy listed) & you don't trust a 3rd company with your passwords 2. It's more likely that people will use Firefox lockwise with my tweaks (basically setting a master password and enabling 2FA to your account), than installing Bitwarden and their addon on all their devices. And I'm not saying it should be a first recommendation, but rather the third.

lynn-stephenson commented

2021-07-27 08:33:31 +00:00

(Migrated from github.com)

There is very little reason to recommend this when BitWarden exists. BitWarden has been audited, and it is cross-platform. Although when using BitWarden it is generally recommended to avoid using their web browser extensions for security reasons.

Your tweaks are far less convenient than just using BitWarden.

There is very little reason to recommend this when BitWarden exists. BitWarden has been audited, and it is cross-platform. Although when using BitWarden it is generally recommended to avoid using their web browser extensions for security reasons. Your tweaks are far less convenient than just using BitWarden.

youdontneedtoknow22 commented

2021-07-27 11:57:06 +00:00

(Migrated from github.com)

There is very little reason to recommend this when BitWarden exists. BitWarden has been audited, and it is cross-platform. Although when using BitWarden it is generally recommended to avoid using their web browser extensions for security reasons.

Firefox is also cross-platform? And I believe the code is mature enough.
And whas else would you use instead of the web browser extension? Copy and paste from the app? This is how many people fall for phishing websites. I read 3 days ago about all the "clone domains" for protonmail, they had something like "protnmail.com , protonmial.com, ..". So one typing mistake and the person will have his credential stolen without even noticing it. While when using autofill (from firefox lockwise, or even bitwarden extension if that's supported) you're already protected from this.

Your tweaks are far less convenient than just using BitWarden.

While setting ETP in firefox to strict (should be the next firefox tweak in ptio soon), if you just clicked on "set a master password" and typed one, that's far more convient than installing an app on 2 platforms, installing the addons, making accounts and moving all your passwords there.

> > > There is very little reason to recommend this when BitWarden exists. BitWarden has been audited, and it is cross-platform. Although when using BitWarden it is generally recommended to avoid using their web browser extensions for security reasons. Firefox is also cross-platform? And I believe the code is mature enough. And whas else would you use instead of the web browser extension? Copy and paste from the app? This is how many people fall for phishing websites. I read 3 days ago about all the "clone domains" for protonmail, they had something like "protnmail.com , protonmial.com, ..". So one typing mistake and the person will have his credential stolen without even noticing it. While when using autofill (from firefox lockwise, or even bitwarden extension if that's supported) you're already protected from this. > > Your tweaks are far less convenient than just using BitWarden. While setting ETP in firefox to strict (should be the next firefox tweak in ptio soon), if you just clicked on "set a master password" and typed one, that's far more convient than installing an app on 2 platforms, installing the addons, making accounts and moving all your passwords there.

Dyrimon commented

2021-07-28 15:48:59 +00:00

(Migrated from github.com)

Firefox is also cross-platform? And I believe the code is mature enough.

With Firefox Lockwise, you're restricting the user to Mozilla Firefox (and a Firefox account) which might not be suitable for every platform and not all users like to tie their all browsing experience to one account (I certainly don't). Also it needs a lots of tweaking (the browser) which also might not be possible for every platform. Moreover, Lockwise features are bare-bones and falls too short to Bitwarden. It has no reason to be listed while Bitwrden and KeePass exists.

> Firefox is also cross-platform? And I believe the code is mature enough. With Firefox Lockwise, you're restricting the user to Mozilla Firefox (and a Firefox account) which might not be suitable for every platform and not all users like to tie their all browsing experience to one account (I certainly don't). Also it needs a lots of tweaking (the browser) which *also* might not be possible for every platform. Moreover, Lockwise features are bare-bones and falls too short to Bitwarden. It has no reason to be listed while Bitwrden and KeePass exists.

youdontneedtoknow22 commented

2021-07-28 17:41:41 +00:00

(Migrated from github.com)

With Firefox Lockwise, you're restricting the user to Mozilla Firefox (and a Firefox account) which might not be suitable for every platform

And with Bitwarden you're restricting the user to a Bitwarden account? You obviously need an account if you want your passwords stored on a cloud.
And don't get me wrong, but most of the recommended Browsers on PTIO are firefox based, so not recommending a password manager because its restricted to firefox doesn't make a lot of sense.
And you could also say: recommending PasswordSafe restrict users to Windows, and recommending Pass (passwordstore.com) is restricting users to linux, but they still get recommended (as worth mentioning).

and not all users like to tie their all browsing experience to one account (I certainly don't).

But many users would like that to happen, including me? That's why most normal users save their passwords in their browser, and we keep telling them they should use a password manager. So letting them add a password to their browser would rather happen then letting them copy their passwords to a password manager and manually edit the user and password columns.
I tried using KeepassXC and I couldn't because moving all my saved passwords from Firefox to it was a pain in the *** so I just use Firefox for most of my passwords.
Ask normal internet users from your family and see if they use any password manager or if they just save the passwords in their browser.

Also it needs a lots of tweaking (the browser) which also might not be possible for every platform.

I explained in the comment before why that's not true, you can read it.

Moreover, Lockwise features are bare-bones and falls too short to Bitwarden. It has no reason to be listed while Bitwrden and KeePass exists.

That applies to all other "worth mentioning" password managers. And having more features doesn't mean it will make people use it.

> With Firefox Lockwise, you're restricting the user to Mozilla Firefox (and a Firefox account) which might not be suitable for every platform And with Bitwarden you're restricting the user to a Bitwarden account? You obviously need an account if you want your passwords stored on a cloud. And don't get me wrong, but most of the recommended Browsers on PTIO are firefox based, so not recommending a password manager because its restricted to firefox doesn't make a lot of sense. And you could also say: recommending PasswordSafe restrict users to Windows, and recommending Pass (passwordstore.com) is restricting users to linux, but they still get recommended (as worth mentioning). > and not all users like to tie their all browsing experience to one account (I certainly don't). But many users would like that to happen, including me? That's why most normal users save their passwords in their browser, and we keep telling them they should use a password manager. So letting them add a password to their browser would rather happen then letting them copy their passwords to a password manager and manually edit the user and password columns. I tried using KeepassXC and I couldn't because moving all my saved passwords from Firefox to it was a pain in the *** so I just use Firefox for most of my passwords. Ask normal internet users from your family and see if they use any password manager or if they just save the passwords in their browser. >Also it needs a lots of tweaking (the browser) which _also_ might not be possible for every platform. I explained in the comment before why that's not true, you can read it. >Moreover, Lockwise features are bare-bones and falls too short to Bitwarden. It has no reason to be listed while Bitwrden and KeePass exists. That applies to all other "worth mentioning" password managers. And having more features doesn't mean it will make people use it.

k0gen commented

2021-08-30 14:01:58 +00:00

(Migrated from github.com)

With Firefox Lockwise, you're restricting the user to Mozilla Firefox (and a Firefox account) which might not be suitable for every platform

And with Bitwarden you're restricting the user to a Bitwarden account? You obviously need an account if you want your passwords stored on a cloud.

No. Bitwarden account is not necessary, you can self host your own vaultwarden (Bitwarden RS) service like I do on EmbassyOS over tor and have your devices sync to it with security and convenience in mind.

> > With Firefox Lockwise, you're restricting the user to Mozilla Firefox (and a Firefox account) which might not be suitable for every platform > > And with Bitwarden you're restricting the user to a Bitwarden account? You obviously need an account if you want your passwords stored on a cloud. No. Bitwarden account is not necessary, you can self host your own [vaultwarden](https://github.com/dani-garcia/vaultwarden/) (Bitwarden RS) service like I do on [EmbassyOS](https://github.com/start9labs/embassy-os/) over tor and have your devices sync to it with security and convenience in mind.

This repo is archived. You cannot comment on issues.