Slashdot Mirror
Firefox To Get a Better Password Manager (bleepingcomputer.com)
Catalin Cimpanu, reporting for BleepingComputer: Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefox's built-in password management." Mozilla released the new extension for employee-use only at first, but users can install it by going to this or this links. Lockbox revamps Firefox's antiquated password management utility with a new user interface (UI). A new Firefox UI button is also included, in case users want to add a shortcut in their browser's main interface to open Lockbox without going through all the menu options. Support for a master password is included, helping users secure their passwords from unauthorized access by co-workers, family members, or others.
You are correct, what is described here is not new. What would be useful is being able to sync your passwords on different computers while using a master password. As it now stands, you have to select one feature or the other. That question was not addressed in the linked article.
While Firefox has a good core password management application, it does need to be refreshed with more than just a new UI. They should keep some of the main features of course, such as bringing back Sync integration for Lockbox; I'm sure that will come in time. However, they can do so much better and go much farther with a new project like Lockbox.
Assuming they bring back all of the current (as of Firefox 57) features of the default password manager including Sync support natively, its time to start with true improvements. For instance, I use what is now a Legacy addon called Password Exporter - https://addons.mozilla.org/en-... - to import or export into standard .xml or .csv files. This should be a native feature of Firefox's new "Lockbox" ,especially as it is one of the many extensions that at the moment will no longer work at 57, because there is no proper API under WebExtensions to replicate how/what it does! Native support should be better, plus they should also add full encryption of the database as well as obfuscation options.
This brings me to the really big feature I'd like to see in Lockbox - full integration with other password managers and their APIs, from LastPass and Dashlane that are common but insecure, to SpiderOak's Encryptr, to one of my personal favorites and ideal targets - Keepass (latest gen databases from both Keepass 2.x and KeepassXC etc). I'll focus on Keepass in the discussion from here on, but if a user has a password manager of preference -web based or otherwise - and there is an API for it, it would be nice if Firefox (and other Mozilla products in the future...oh how I wish to see more work on Thunderbird!) would make use of them. Right now, users of Keepass 2.x style .kdbx databases can have some degree of integration with Firefox thanks to addons, from PassIFox to the excellent KeeFox (which has a WebExtensions rewrite under the name "Kee"), allowing Firefox to sidestep the native password manager and instead record to/from Keepass databases. In order to do this, there is need for Keepass clients to support KeepassHTTP (at minimum) or KeepassRPC (which I am to believe is a more secure way of transmitting this info), because there's sort of a required kludge of "reaching over" the native Firefox password manager and whatnot. Lockbox should be developed in such a way to natively support integrating with a Keepass database using multiple secure methodologies. Ideally, once the rest was handled this would support for Firefox Account / Sync to handle syncing an entire .kdbx database if the user wishes to do so, providing an open alternative to the kind of thing that many users do at the moment, such as uploading their database to Google Drive etc. Lockbox could also be designed with handling next-gen open source encryption seamlessly (including things like GnuPG / OpenPGP implementations) which could be useful to say... allow other Mozilla products such as Thunderbird to access ProtonMail securely - something it can't do currently. Likewise, support for HOTP / TOTP / and the recent FidoU2F, along with custom secure PIM storage besides just plain passwords and usernames, could expand functionality.
There's a lot of potential for an enhanced PW manager with Lockbox. Firefox's current Sync'd password manager is a great feature and one of the few password managers that is both open and easy to use for people who may never have used a password manager in the past yet now find it incredibly useful; I can't tell you how often a family member has been saved from a password reset because they can go into the Firefox Options and browse through their usernames and passwords. Lets hope Lockbox keeps what's great and expands upon it.
With Mozilla's sync service, which includes password sync, you can run the sync server yourself if you want:
https://github.com/mozilla-ser...
Just don't use a password manager; it's so simple. I don't use the one on OSX, and I try hard to train my mother to not use the browser pssword manager. Her computer has a problem and we find out she literally does not know any of her passwords because she hasn't had to type on in for years; but easy enough to break in to the password file with just few google searches.
I type in my own passwords manually. I have an encrypted file with the low security passwords (all those "you must register to see our web site" ones). For important passwords at home I have the passwords in a file on a removeable thumb drive, and it is removed immediately after use.
Yes, it is more inconvenient that way. But security is not convenient! The more convenience you add to security or the more convenience the user takes, the less secure the overall result. This is a fundamental security concept. Users re-uses the same password for convenience and the result is less secure; if the OS offers a one stop storage of passwords for convenience, the less secure it becomes.
Ie, I know my work has shared plaintext passwords with third parties. In that I got email from an outsourced trianing class, and the email isted the default password for me to login which was identical to a previous work login password I had used. Good operating systems never store or transmit a password but uses a hash instead; so clearly something at work was seriously broken. Using the keystore on my computer would be a mistake in such an environment.