🆕 Software Suggestion | Firefox Lockwise #2337
Labels
No Label
🔍🤖 Search Engines
approved
dependencies
duplicate
feedback wanted
high priority
I2P
iOS
low priority
OS
Self-contained networks
Social media
stale
streaming
todo
Tor
WIP
wontfix
XMPP
[m]
₿ cryptocurrency
ℹ️ help wanted
↔️ file sharing
⚙️ web extensions
✨ enhancement
❌ software removal
💬 discussion
🤖 Android
🐛 bug
💢 conflicting
📝 correction
🆘 critical
📧 email
🔒 file encryption
📁 file storage
🦊 Firefox
💻 hardware
🌐 hosting
🏠 housekeeping
🔐 password managers
🧰 productivity tools
🔎 research required
🌐 Social News Aggregators
🆕 software suggestion
👥 team chat
🔒 VPN
🌐 website issue
🚫 Windows
👁️ browsers
🖊️ digital notebooks
🗄️ DNS
🗨️ instant messaging (im)
🇦🇶 translations
No Milestone
No Assignees
1 Participants
Due Date
No due date set.
Dependencies
No dependencies set.
Reference: privacyguides/privacytools.io#2337
Loading…
Reference in New Issue
No description provided.
Delete Branch "%!s(<nil>)"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Basic Information
Name:
Firefox Lockwise
Category:
Password managers
URL:
Description
I believe Firefox lockwise should be recommended as a password manager. Syncs are e2e encrypted, Passwords saved in the cloud are also encrypted. It doesn't require addons (like Bitwarden and KeepassXC), and is easy to use for most people on all platforms (you don't even have to use an external app to access the passwords from your phone for example, it's all in your firefox account in the firefox app on your phone). Most people tend to to save their passwords in their browsers, we just need to make this more private and secure.
The only 2 things I would recommend are:
1- When signing up for a Firefox Account, enable 2FA
2- Using a masterpassword on desktop. In case the device got comrpomised, this will prevent tools that grab passwords (WebBrowserPassView from Nirsoft for example) from seeing and extracting the passwords. I'm not aware of any methods that can bypass the masterpassword. (For example even if a keylogger was used to log the masterpassword, I'm not aware of methods that can be used to utilize that masterpassword with WebBrowserPassView).
Why I am making the suggestion
Most people tend to to save their passwords in their browsers, we just need to make this more private and secure.
My connection with the software
None.
Please tell me if anything of this has changed. I have quite a few concerns with recommending Lockwise.
I tried this app some time ago, and from what I could see it was impossible to add credentials on mobile manually.I see this has been resolvedOnce the user opens the browser, he'll be asked to enter the master password once. This will be used for the auto-fill feature. That's what normal users need. Once the user close the browser, this needs to be done again.
I tried using the WebBrowserPassView from Nirsoft even after I typed my master password. I still couldn't extract any saved passwords. The only way to extract the passwords was by disabling the master password completely.
The only way to copy or show passwords, is to go to the "Passwords" tab in the browser. Then you need to enter the master password, so the user can access the database, containing websites, usernames and encrypted passwords. And then when copying or showing any password, the user needs to enter the master password once again. As soon as you close the password tab (just like closing your password manager), you need to do the same process again.
I also just checked in my Firefox Account. I can "Log out" devices that are logged in, if that's what you mean with de-auth devices.
Thanks for the response.
The concern here is about desktop clients, not talking about android here as the app (hopefully), I am assuming here, uses the encrypted storage.
I think this is a problem. Lockwise is used to autofill passwords in other apps, if it can't do that without violating users privacy I really don't feel like this should be recommended. Just having the passwords in the browser doesn't sounds like a proper solution to me.
I have been thinking about it more. Personally I would never recommend people to log in to Firefox. Although it might be easier, this syncs a lot of data to Mozilla (history, cookies, bookmarks etc)(I am aware you could switch off certain things).
All in all recommendation would require have a explanation on how to use it, therefore my conclusion would be that using Bitwarden is a far better option.
Everything synced in your Firefox Account is end-to-end encrypted and has always been end-to-end encrypted.
https://hacks.mozilla.org/2018/11/firefox-sync-privacy/
I see little reason to list this @privacytools/editorial
less fingerprinting, smaller attack surface, less ram and cpu usage (which lots of people complain about in firefox, I just saw a reddit post about it in your subreddit, check the extensions the guy listed) & you don't trust a 3rd company with your passwords
And I'm not saying it should be a first recommendation, but rather the third.
There is very little reason to recommend this when BitWarden exists. BitWarden has been audited, and it is cross-platform. Although when using BitWarden it is generally recommended to avoid using their web browser extensions for security reasons.
Your tweaks are far less convenient than just using BitWarden.
Firefox is also cross-platform? And I believe the code is mature enough.
And whas else would you use instead of the web browser extension? Copy and paste from the app? This is how many people fall for phishing websites. I read 3 days ago about all the "clone domains" for protonmail, they had something like "protnmail.com , protonmial.com, ..". So one typing mistake and the person will have his credential stolen without even noticing it. While when using autofill (from firefox lockwise, or even bitwarden extension if that's supported) you're already protected from this.
While setting ETP in firefox to strict (should be the next firefox tweak in ptio soon), if you just clicked on "set a master password" and typed one, that's far more convient than installing an app on 2 platforms, installing the addons, making accounts and moving all your passwords there.
With Firefox Lockwise, you're restricting the user to Mozilla Firefox (and a Firefox account) which might not be suitable for every platform and not all users like to tie their all browsing experience to one account (I certainly don't). Also it needs a lots of tweaking (the browser) which also might not be possible for every platform. Moreover, Lockwise features are bare-bones and falls too short to Bitwarden. It has no reason to be listed while Bitwrden and KeePass exists.
And with Bitwarden you're restricting the user to a Bitwarden account? You obviously need an account if you want your passwords stored on a cloud.
And don't get me wrong, but most of the recommended Browsers on PTIO are firefox based, so not recommending a password manager because its restricted to firefox doesn't make a lot of sense.
And you could also say: recommending PasswordSafe restrict users to Windows, and recommending Pass (passwordstore.com) is restricting users to linux, but they still get recommended (as worth mentioning).
But many users would like that to happen, including me? That's why most normal users save their passwords in their browser, and we keep telling them they should use a password manager. So letting them add a password to their browser would rather happen then letting them copy their passwords to a password manager and manually edit the user and password columns.
I tried using KeepassXC and I couldn't because moving all my saved passwords from Firefox to it was a pain in the *** so I just use Firefox for most of my passwords.
Ask normal internet users from your family and see if they use any password manager or if they just save the passwords in their browser.
I explained in the comment before why that's not true, you can read it.
That applies to all other "worth mentioning" password managers. And having more features doesn't mean it will make people use it.
No. Bitwarden account is not necessary, you can self host your own vaultwarden (Bitwarden RS) service like I do on EmbassyOS over tor and have your devices sync to it with security and convenience in mind.