Firefox To Get a Better Password Manager

Catalin Cimpanu, reporting for BleepingComputer: Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefox's built-in password management." Mozilla released the new extension for employee-use only at first, but users can install it by going to this or this links. Lockbox revamps Firefox's antiquated password management utility with a new user interface (UI). A new Firefox UI button is also included, in case users want to add a shortcut in their browser's main interface to open Lockbox without going through all the menu options. Support for a master password is included, helping users secure their passwords from unauthorized access by co-workers, family members, or others.

Woo hoo

So exciting ..NOT

Re:Woo hoo

But back then being an idiot was actually kinda trendy.

Have you seen who we elected president?

Re:Woo hoo

Then we have you with the bizarre need to prattle on about some guy using an expression that you think should have died a painful death. It's really a shame that you haven't died a painful death.

Go kill yourself.

Re:Woo hoo

Your signature says it all

Re: Woo hoo

I think it's rather groovy

Re:Woo hoo

or was it a post-ironic simpsons reference used to avoid using 'slow clap'. It's cheese factor was intended and all you noticed was the cheese. Tough audience.

Re:Woo hoo

Yes. And I view it as a rare showing of intelligence. What's the saying? "Doing the same thing over and over expecting a different result is a sign of insanity". Well, people unhappy with how things have been going, when given an option of the same thing, and something different, wanting a different result, they went with something different. You folks who supported Hillary while complaining about how bad government is are the true idiots. Trump may be terrible, but at least we've tried something different to see if it works better. In science, a failed experiment still provides important information.

Re:Woo hoo

[e432776]

I dunno, seems like important core functionality. Lastpass is popular, and certainly "exciting" to many people. If Mozilla can pull something off that does not involve servers/machines I don't own and control but allows me to share passwords between machines- that would seem pretty news worthy.

Re:Woo hoo

[sexconker]

Psych!

Re:Woo hoo

[fafalone]

If your computer isn't working, and you just can't figure out how to fix it, and someone comes along and says 'maybe you should set it on fire and then urinate on it', do you just go 'oh well nothing else is working' and do it? That's what we did when we elected Trump.

Re: Woo hoo

"At Least we've tried something different to see if it works better"
Most normal people don't need to eat a dog shit sandwich to know they wouldn't like it.

Re: Woo hoo

Except they were given a choice of dogshit sandwich A or dogshit sandwich B. Not like Hilary wasn't going to be a complete cvnt.

Re:Woo hoo

Syncing passwords via USB stick? Oooo, timely.

I hope they improved the UI

[hackertourist]

In the old PW manager, when you click the 'Show Passwords' button, Firefox opens the thoroughly useless dialog "Are you sure you want to show your passwords?"

Confirmations should be reserved for irreversible actions only, and should offer a way to stop the dialog from appearing.

Re:I hope they improved the UI

[queazocotal]

Showing your passwords on screen is an irreversible action if someone is watching your screen, or recording it.

Re:I hope they improved the UI

This dialog is justified in my mind because you might be thinking about it and you have someone in the room with you who might be able to see all of your passwords. A confirmation might save you from a brain fart moment.

Re:I hope they improved the UI

[thegarbz]

if someone is watching your screen

Irreversible actions here are based on a system level not based on someone looking over your screen. It is reversible in that you can quickly close the window and get right back to where you were with no change at all on your system.

Now I'm going to click preview, re-read what I wrote, and then confirm my post because Slashdot doesn't let me edit or delete.

Re:I hope they improved the UI

[hackertourist]

Then the dialog should at least indicate that. As it stands now it is more likely to generate the reaction, "well duh, of course I want to see my passwords. That's why I clicked the button marked 'show passwords', damn it."

Re:I hope they improved the UI

[rjune]

I have a master password set. Firefox requires it to be entered to show passwords. I consider that to be good security measure.

Re:I hope they improved the UI

[TheRaven64]

The UI is the least of their problems, the big issue is the security architecture. If I compromise a tab that's displaying Slashdot, I should be able to get access to the password for Slashdot (maybe), but definitely not for any other site. With Firefox, the password manager runs in the same address space as all of the tabs and has all of your passwords in memory. A single libpng or libjpg arbitrary code execution vulnerability and a malicious image can expose all of your passwords to an attacker. A single libavcodec or libavformat arbitrary code execution vulnerability and a malicious video or audio file can expose all of your passwords to an attacker. Go and look at the CVE lists for these projects and decide whether you'd trust Firefox with a password...

Re:I hope they improved the UI

[UnknowingFool]

I think one complaint is that it shows you all your passwords and not just a selected password.

Re:I hope they improved the UI

[thegarbz]

Requiring a password and requiring confirmation for an action that has no lasting effect are not the same thing.

Re:I hope they improved the UI

[queazocotal]

And this is why UI designers that do not think about guidelines needing to be flexible need to be punched in the face really hard.

Exceptions occur, and choosing to justify default by 'global spec says so' rather than thinking about the actual use-case and doing it differently because it's better for users is not a good thing.

Re: I hope they improved the UI

[sound+vision]

Exactly... Function should dictate UI, not the other way around.

Re: I hope they improved the UI

Anyone who saves passwords in their browser has already had a brain fart moment.

Re:I hope they improved the UI

Don't worry. They'll add a hamburger menu for that dialog.

NIH syndrome

Instead of reinventing the wheel why can't they just work on integrating with something that already does the job properly like keepass - and leave it at that, and then focus on more important things like the actual browser.

Re:NIH syndrome

[squiggleslash]

| Because Keepass is a third party application that Mozilla cannot just co-opt like that, and in any case Keepass can write their own Firefox extensions to do the integration (if they haven't already.)

Re:NIH syndrome

[SScorpio]

There is a great Keepass extension called KeeFox. Which will promptly stop working in a few weeks when Firefox 57 kills off "legacy" extensions.

Re:NIH syndrome

[unrtst]

Keepass is open source. They could coopt it.
Keepass 1.x has been ported to just about every platform, and would likely be fairly easy to utilize as the backend storage, and even has API's for accessing the DBs and such.
Keepass 2.x, while open source, is only available in .Net (C#/C++, can run under windows, via mono on other OS's, or via wine).

That said, I think there would be little benefit to using it. It would be nice to know I could access the encrypted blob via a separate program, also completely offline, but they could alternatively offer some sort of export or sync or something to other formats, including the keepass 1.x or 2.x format, and that'd be enough for me. AFAICT, they don't offer either of those yet, so I'll stick with my own.

Re:NIH syndrome

They are legacy, there is no need to quote the word. The move to WebExtensions is needed to facilitate better security. The current add-in system has free reign to do anything it wants in the browser.

Re:NIH syndrome

They're not reinventing the wheel. They've had a password manager for a long time now. They're just improving the UI from the sounds of it.. While I like KeePass, what Mozilla does is slightly different. They're synchronizing passwords between browsers in a cross platform way protected by an email and password. Encryption on the client is optional via a master password.

Re:NIH syndrome

[sexconker]

They are legacy, there is no need to quote the word. The move to WebExtensions is needed to facilitate better security. The current add-in system has free reign to do anything it wants in the browser.

The move to WebExtensions is needed to copy Chrome and remove a ton of choice and control from users.
If you're worried about security with NPAPI/XUL/"legacy" plugins, there's a simple solution: DON'T INSTALL MALICIOUS PLUGINS.

Re:NIH syndrome

That's okay. After 57 is released, it will only be a matter of weeks before Firefox market share drops by half - moving Firefox from "barely relevant" to "irrelevant" (except perhaps in Cuba, Eritrea, and Germany).

I've been using Firefox nearly exclusively for over ten years. Unfortunately, nine of the ten extensions I have installed are legacy extensions for which I've not found a suitable substitute in the WebExtensions world (the tenth is a Legacy one that I found a suitable substitute for). I rely heavily on at least six of these extensions.

Regrettably, I'm slowly switching over to Chrome because a post-56 Firefox has no value to me.

(I guess you get what you pay for in both browsers and legislation).

Re:NIH syndrome

[SScorpio]

Give Waterfox a try. I've used it as my daily driver for the last six weeks or so and all extensions are working fine.

Re:NIH syndrome

[JackieBrown]

Like adding pocket instead of just making their own version? I think they probably learned their lesson on that.

Re:NIH syndrome

[TheRaven64]

That's only half of the solution. The other fix you need is: don't visit malicious web sites. A password manager plugin should be split into one part that maintains the DB and one part that runs in the context of each tab and has access to only the passwords that that tab requires. With the old Firefox extension model, there is no way of doing that (all tabs run in the same context) and so a compromise of one tab will compromise all secret information owned by the extension. There's no way to fix this without a complete redesign.

Re:NIH syndrome

[ctilsie242]

KeePassXC might be a suitable replacement. I like KeePass's password generator, especially with the fact that it can generate via templates and use input from the keyboard/mouse to supplement the RNG. However, KeePass isn't the only game in town.

Re:NIH syndrome

[David_Hart]

There is a great Keepass extension called KeeFox. Which will promptly stop working in a few weeks when Firefox 57 kills off "legacy" extensions.

Kee 2.0 is under development and will allow you to continue using KeePass with Firefox and other browsers. At least that's what is being promised.

https://www.kee.pm/

Re:NIH syndrome

[sexconker]

That's only half of the solution. The other fix you need is: don't visit malicious web sites. A password manager plugin should be split into one part that maintains the DB and one part that runs in the context of each tab and has access to only the passwords that that tab requires. With the old Firefox extension model, there is no way of doing that (all tabs run in the same context) and so a compromise of one tab will compromise all secret information owned by the extension. There's no way to fix this without a complete redesign.

You still need the "don't visit malicious websites" "fix" regardless of plugins or which browser you use.

And no, you don't need 2 contexts for extensions. There is one context governing the browser and its extensions - the user's context. If a tab should not be able to reach into an extension and get shit from another tab, the extension should prevent that. Maybe that's exactly what you want to do with that particular extension.

Re:NIH syndrome

[TheRaven64]

The extension can only do that if the tabs are different sandboxes (typically different processes). Firefox does not currently do that and cannot switch to the security model that all other modern browsers including Edge use until they remove the current extensions mechanism.

Re:NIH syndrome

So your solution to your preferred extensions no longer working on a future version of Firefox is to use a completely different browser where none of those extensions work. Got it.

 

Re:NIH syndrome

[mattventura]

Guess what: ANY software I install on my PC has free reign to do whatever it wants with my browser (and the rest of my software too). Rather than crippling admins for the rest of us, just don’t install software (browser admins or otherwise) that you don’t trust.

Re:NIH syndrome

[SScorpio]

Thanks for the info. I'll check it out once it's out of beta.

I'll have to see about my other 80% of the plugins I used that are also "legacy".

Re:NIH syndrome

[knorthern+knight]

> The other fix you need is: don't visit malicious web sites.

You mean sites like The New York Times, the BBC, MSN, and AOL? https://arstechnica.com/inform...

Or Forbes? https://www.fireeye.com/blog/t...

It's gotten so bad that "Mainstream Web Sites Are More Risky than Porn Sites" according to Cisco. https://www.esecurityplanet.co...

Assume that *EVERY* site you visit is compromised. If your OS/browser combo can't handle that, look at different software.

Re:NIH syndrome

[TheRaven64]

Exactly my point. The Firefox extension model is probably fine for a password manager if you only use it for web sites that you completely control. Anything else? Not so much.

Master password is new?

[LostOne]

I seem to have been using a master password with Firefox's password manager thing for ages so unless I'm delusional, that's not new functionality. Why is the existence of a semi-functional (can't be reset currently) master password on this "lockbox" thing even an important development? Does it protect something the existing implementation doesn't? Indeed, why do I even need an "improved" password manager when the existing one actually works? (Well, a UI button would be nice on occasion, sure, but that seems a fairly trivial thing to add and wouldn't need any fancy beta/alpha development phase.)

Re:Master password is new?

[rjune]

You are correct, what is described here is not new. What would be useful is being able to sync your passwords on different computers while using a master password. As it now stands, you have to select one feature or the other. That question was not addressed in the linked article.

Re:Master password is new?

[ctilsie242]

It would be nice to have some added security with data sitting on a cloud provider, so someone who grabs the password database can't just brute-force a password. With some password managers, one can have a sync password that is different from the one used to access the DB, so one can have a 64 character password for that, and a shorter one for access on the local machine. Other password managers require endpoints to be "introduced", and store the database encrypted, with the master key to the DB encrypted to each endpoint's private key. That way, there is no password that can be guessed.

What I really detest is how utilities like mSecure (and to a lesser extent, 1Password) have moved. Want to use them? You have to use their cloud specific cloud, which has no certifications other than "we use AES-256". If I want to use someone's proprietary cloud for passwords, I would use LastPass which at least has been proven to mitigate attacks with its structure. Who knows how these guys store their DB... it could be stashed in a publically accessible S3 bucket, for all we know.

Re:Master password is new?

You can use the master password and firefox password sync feature. I do so without any issue between multiple browsers and operating systems.

To be clear, the password sync feature protects which clients are allowed to push or pull passwords over an encrypted medium.
The master password feature protects whether the passwords are stored locally encrypted or not and if a password must be entered to use a password.

Each browser uses the same email address/password to access sync feature.
Each browser uses different master password to protect passwords locally. You can choose to use the same or different master password, but that master password is not synchronized.

If you forget the master password of a single client, you will have to reset your firefox profile, setup a new master password and provide sync email/password.
If you forget the sync password, you can reset it via your email but you cannot retrieve the passwords. You can however push the existing passwords from another client where you know its master password and it is still setup to sync.
If you forget the master password of all clients and your sync password, you cannot recover your passwords at all.

Re:Master password is new?

[Vairon]

With Mozilla's sync service, which includes password sync, you can run the sync server yourself if you want:

https://github.com/mozilla-ser...

Re:Master password is new?

[ftobin]

I've been using synced passwords with a master password for 10+ years now, if not longer. Why do you suggest it's not supported?

Re:Master password is new?

[Kkloe]

I have also been using the master password in combination with "saved password editor", why have ui-button to clog more stuff in the bar than have it in the menu as this has?
https://addons.mozilla.org/en-...

There's the problem

Now I see the problem with Mozilla. They hire engineers instead of software developers.

It's good that they don't hire programmers, but really they need software developers and not engineers.

Re: There's the problem

No, the experience designers and visionary managers have are responsible of the Mozilla's destruction. Engineers do not remove functionality or randomize the UI layout for each release.

Re: There's the problem

Although that seems to be their goal, you are giving them too much credit as they have not yet reached the 0% goal as you claim. However, 57 will be a giant leap towards achieving their goal so they may be successful yet.

(I assume 57 was chosen as that's the release when the ketchup hits the fan?)

Just use the OS password manager!

Why do browser makers always reinvent the wheel for every single OS feature... and do it badly too?!

(I’m assuming even Windows and macOS have password managers for ages now. I haven't checked tough.)

Somebody should tell them about the inner-platform effect.

Re:Just use the OS password manager!

Windows does not have a password manager.

In what way is Firefox's password manager doing it badly?

Re:Just use the OS password manager!

[sexconker]

Start
Credential Manager

Store credentials for automatic logon

Use Credential Manager to store credentials, such as user names and passwords, in vaults so you can easily log on to computers or websites."

Re:Just use the OS password manager!

[UnknowingFool]

(I’m assuming even Windows and macOS have password managers for ages now. I haven't checked tough.)

Then you would assume wrong. Windows has not had a central password manager "for ages" now. MacOS has one integrated with Safari but it does not work directly with other browsers. The integration with Safari means that it detects the presence of a password dialog and suggests a random password for the site that more or less obeys the site rules. If you agree then it saves the password for you if you want. In MacOS the password manager has a feature to externally generate passwords with options to set the rules and difficulty so you could use it manually with other browsers.

Re:Just use the OS password manager!

[Darinbob]

Just don't use a password manager; it's so simple. I don't use the one on OSX, and I try hard to train my mother to not use the browser pssword manager. Her computer has a problem and we find out she literally does not know any of her passwords because she hasn't had to type on in for years; but easy enough to break in to the password file with just few google searches.

I type in my own passwords manually. I have an encrypted file with the low security passwords (all those "you must register to see our web site" ones). For important passwords at home I have the passwords in a file on a removeable thumb drive, and it is removed immediately after use.

Yes, it is more inconvenient that way. But security is not convenient! The more convenience you add to security or the more convenience the user takes, the less secure the overall result. This is a fundamental security concept. Users re-uses the same password for convenience and the result is less secure; if the OS offers a one stop storage of passwords for convenience, the less secure it becomes.

Ie, I know my work has shared plaintext passwords with third parties. In that I got email from an outsourced trianing class, and the email isted the default password for me to login which was identical to a previous work login password I had used. Good operating systems never store or transmit a password but uses a hash instead; so clearly something at work was seriously broken. Using the keystore on my computer would be a mistake in such an environment.

Re:Just use the OS password manager!

[cerberusss]

For important passwords at home I have the passwords in a file on a removeable thumb drive

Pffff amateur.

I have my important passwords engraved on the business end of my 12-gauge sawed-off shotgun. Should the security be an issue, I only have to pull the trigger and bury the body in my back yard.

Re:Just use the OS password manager!

Security is not inversely correlated with convenience, Quit spreading that myth. What is dangerous is people using short weak, passwords on multiple sites all because they need to remember it. and most browser password managers can be encrypted with a master file, making it almost as secure as, if not just as secure as your usb trick, and the fact that your usb is plugged in for a few moments doesn't mean anything. Its more than enough for your password to be snagged by a trojan or malware. If a virus can compromise a browser password manager, then its already gained access to the actual system and your usb would be just as vulnerable.

Re:Just use the OS password manager!

I guess you really are an unknowing fool ... Firefox and most other browsers have extensions available to integrate with Keychain on MacOS. I still use KeePassX, though, since I need my passwords to be available on Linux, macOS and Windows.

Re:Just use the OS password manager!

[UnknowingFool]

I guess you really don't know Firefox as this article was talking about the built-in password manager. Not an extension. Speaking of extension, you are aware the current integration is not going to work after Firefox 57?

Re:Just use the OS password manager!

> Security is not inversely correlated with convenience, Quit spreading that myth. What is dangerous is people using short weak, passwords on multiple sites all because they need to remember it.

You just contradict yourself there. It's convenient to use short, weak passwords on multiple sites because most users need to remember it, that's convenience. If you want to be secure use long passwwords with some capital letters, symbols and alphanumeric, but it won't be convenient. If you think security and convenience are not pulling each other, then maybe you need to lecture security 101 to Steve Gibson who claims security is the opposite of convenience.

To little to late.

I'm way to invested in LastPass to ever use a home grown Mozilla extension.

Re:To little to late.

[pedz]

I use LastPass too. Do you like the new UI? I'm using Firefox on a Mac. It is horrible compared to what it was before. I'm tempted to find another alternative.

Password API

[brianerst]

I'd rather see some sort of Password API that would allow LastPass or Dashlane be the backend (or front end) for Firefox's password cache. The existing functionality of these systems is OK but kind of hackworthy.

If I generate a password in LastPass, there's only a 30% chance LastPass will actually store that password - it gets confused very easily and suddenly you have a website that has a password that you don't have any more. (My workflow lately is to open a text editor, generate the password, copy it, paste it into the editor, then paste it into the website and update LastPass after everything has changed).

But Firefox is generally really good at grabbing and storing new and changed passwords. So some version of using Firefox's front-end feeding into LastPass's backend would be perfect (for me).

I can see the (different) security implications of either a front-end or back-end hook, so I'm not sure if Mozilla would ever implement such a scheme, but some way of integrating third-party password managers in a better way would be nice.

Re:Password API

[darkNeko]

Keepass integration with PassIFox on Firefox works great, but I see it's not for everyone. I preffer to keep my passwords file offline and synchronize it with my own means among devices.

Re:Password API

[93+Escort+Wagon]

I can see the (different) security implications of either a front-end or back-end hook, so I'm not sure if Mozilla would ever implement such a scheme, but some way of integrating third-party password managers in a better way would be nice.

Firefox on OS X (aka macOS) has worked this way for years - it ties into the built-in encrypted keychain. It started out as a plugin, but IIRC it's now part of the core (I stopped using Firefox a few years ago, so it's possible I'm remembering incorrectly).

So it would seem the hooks are already present - it's just a question whether they're written in an extensible way, or if it's a horrible kludge written specifically for the OS X Keychain.

Re: Password API

Chrome will need to develop and add this API first. A browser API only becomes a standard when Chrome implements it, because about 60% of web users use Chrome. Also, the Firefox developers only seem capable of copying what Chrome's developers have already built. So what you propose is only possible if Chrome's developers do it first.

Re:Password API

The problem is Firefox's cache is to easy to break while there is true end to end encryption for Lastpass/Dashline/etc

  I've turned off anything to do with Firefox's manager and rely on large complex individual passwords for everything with my master password being a very long phrase with spaces and punctuation along with Google Authenticator.

The best feature of Lastpass is the Security Challenge the helps you remove/change bad passwords.

Hoot's law

[Geoffrey.landis]

What's the saying? "Doing the same thing over and over expecting a different result is a sign of insanity". Well, people unhappy with how things have been going, when given an option of the same thing, and something different, wanting a different result, they went with something different.

Hoot’s Law: “No matter how bad things are, you can always make them worse.”

--Hoot Gibson (as recounted by Charles Boldin)

Or, perhaps this quote is more to the point:

"When you say, 'It can’t get any worse!' You're essentially challenging the universe to do exactly that.”

--Kamand Kojouri

Make it accessible outside Firefox

[Tester]

It would be amazing if Firefox's password manager could be used by the new Auto-Fill API on Android so I can use a service I can trust instead of a commercial service like LastPass...

Re:Make it accessible outside Firefox

It would be amazing if Firefox's password manager could be used by the new Auto-Fill API on Android so I can use a service I can trust instead of a commercial service like LastPass...

Exactly! I think passwords, online pseudonyms, security, and encryption, are all things that should be managed by the Operating System, not by applications. Controlled by the user but managed by the OS.

facepalm

A password manager in a web browser deserves a facepalm. Or have you seen any secure web browser?

Re:facepalm

[CaptainDork]

Agree.

I have never used a password manager.

I have a scheme whereby, when I look at a login page, I can use the address to reconstruct the appropriate password according to a mental algorithm.

I go back to stories like this one

LastPass Hacked, Change Your Master Password Now by Eric Ravenscraft, 6/15/15 3:30pm.

Somewhere Al Gore is pissed

[xxxJonBoyxxx]

>> Lockbox

Somewhere Al Gore is pissed

https://www.nbc.com/saturday-night-live/video/cold-opening-gore--bush-first-debate/n11360
(See 9:00 - end)

Re:Somewhere Al Gore is pissed

>> Lockbox
Somewhere Al Gore is pissed

It's all part of Mozilla's strategery ....

Comment removed

[account_deleted]

Comment removed based on user account deletion

Needs Keepass, im/export, Sync, APIs, +more

[RanceJustice]

While Firefox has a good core password management application, it does need to be refreshed with more than just a new UI. They should keep some of the main features of course, such as bringing back Sync integration for Lockbox; I'm sure that will come in time. However, they can do so much better and go much farther with a new project like Lockbox.

Assuming they bring back all of the current (as of Firefox 57) features of the default password manager including Sync support natively, its time to start with true improvements. For instance, I use what is now a Legacy addon called Password Exporter - https://addons.mozilla.org/en-... - to import or export into standard .xml or .csv files. This should be a native feature of Firefox's new "Lockbox" ,especially as it is one of the many extensions that at the moment will no longer work at 57, because there is no proper API under WebExtensions to replicate how/what it does! Native support should be better, plus they should also add full encryption of the database as well as obfuscation options.

This brings me to the really big feature I'd like to see in Lockbox - full integration with other password managers and their APIs, from LastPass and Dashlane that are common but insecure, to SpiderOak's Encryptr, to one of my personal favorites and ideal targets - Keepass (latest gen databases from both Keepass 2.x and KeepassXC etc). I'll focus on Keepass in the discussion from here on, but if a user has a password manager of preference -web based or otherwise - and there is an API for it, it would be nice if Firefox (and other Mozilla products in the future...oh how I wish to see more work on Thunderbird!) would make use of them. Right now, users of Keepass 2.x style .kdbx databases can have some degree of integration with Firefox thanks to addons, from PassIFox to the excellent KeeFox (which has a WebExtensions rewrite under the name "Kee"), allowing Firefox to sidestep the native password manager and instead record to/from Keepass databases. In order to do this, there is need for Keepass clients to support KeepassHTTP (at minimum) or KeepassRPC (which I am to believe is a more secure way of transmitting this info), because there's sort of a required kludge of "reaching over" the native Firefox password manager and whatnot. Lockbox should be developed in such a way to natively support integrating with a Keepass database using multiple secure methodologies. Ideally, once the rest was handled this would support for Firefox Account / Sync to handle syncing an entire .kdbx database if the user wishes to do so, providing an open alternative to the kind of thing that many users do at the moment, such as uploading their database to Google Drive etc. Lockbox could also be designed with handling next-gen open source encryption seamlessly (including things like GnuPG / OpenPGP implementations) which could be useful to say... allow other Mozilla products such as Thunderbird to access ProtonMail securely - something it can't do currently. Likewise, support for HOTP / TOTP / and the recent FidoU2F, along with custom secure PIM storage besides just plain passwords and usernames, could expand functionality.

There's a lot of potential for an enhanced PW manager with Lockbox. Firefox's current Sync'd password manager is a great feature and one of the few password managers that is both open and easy to use for people who may never have used a password manager in the past yet now find it incredibly useful; I can't tell you how often a family member has been saved from a password reset because they can go into the Firefox Options and browse through their usernames and passwords. Lets hope Lockbox keeps what's great and expands upon it.

So they knew

[ourlovecanlastforeve]

This seems to imply that Firefox's developers know that their existing password storage mechanism is inadequate yet chose not to tell users until they were well into the development cycle for a replacement.

Better idea for Mozilla

Why not just use KeePassX? If your password manager is stored in your browser, that makes it harder to export cross-platform. Also, the browser is the most vulnerable program in the OS; why put all your passwords there?

Mozilla is just throwing more spaghetti at the wall with this one. I guess I would prefer to see them making a password manager rather than trying to play politics, but really, is another password manager what we need?

What would be REALLY useful is for Mozilla to launch a fully open source VPN, kind of like Tor but with no hidden services so that it appeals to everyday mass users without the stigma of Tor. They could monetize it with subscription options, as long as the program and server code is all open.

Re:Better idea for Mozilla

[scdeimos]

Why not just use KeePassX? If your password manager is stored in your browser, that makes it harder to export cross-platform. Also, the browser is the most vulnerable program in the OS; why put all your passwords there?

Totally this.

It's common for users, especially in IT circles, to install and use multiple browsers for development, testing or even (still) backwards compatibility for ActiveX controls. Another advantage for KeePass/KeePassX is that it can integrate with all these browsers on Windows, Linux and macOS so you're keeping a single secure password store instead of potentially dozens.

WHY?

Why would they do this? Its not like client certifictes on Android are already working.

Why not integrate with extant PW managers?

[jbn-o]

Why should a Firefox user want a separate password manager only for the browser, not integrated with the password manager they already have as part of the OS (for those systems that already have password managers)?

I could see a separate password manager for systems that don't have one, but not integrating with any system (even free systems) ever? I see how reinventing the wheel might be easier for Firefox developers, but how about in terms of what's in the best interest of the user (which, I'm guessing, doesn't mean learning multiple password managers to accomplish the same task)?

Why use a browser based password manager?

1. It's tied to just that browser. I need passwords for other browsers, and non-browser apps too.
2. It's embedded in complex software so arguably harder to validate.

As a developer on Linux, I love passwordstore.org. Combined with a dmenu+xdotool, I can search for a password quickly and inject it via X without using the clipboard. It works with pretty much any app. It uses GnuPG for encrypting everything, so it's probably quite secure. It uses Git to store the encrypted data, so I have a record of changes, and can 'git push' to backup the data to a secure server under my control.

In comparison, a password manager locked to just one browser seems overly limiting.