Slashdot Mirror

← Back to Stories (view on slashdot.org)

Firefox To Get a Better Password Manager (bleepingcomputer.com)

Posted by msmash on from the interesting-moves dept.

Catalin Cimpanu, reporting for BleepingComputer: Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefox's built-in password management." Mozilla released the new extension for employee-use only at first, but users can install it by going to this or this links. Lockbox revamps Firefox's antiquated password management utility with a new user interface (UI). A new Firefox UI button is also included, in case users want to add a shortcut in their browser's main interface to open Lockbox without going through all the menu options. Support for a master password is included, helping users secure their passwords from unauthorized access by co-workers, family members, or others.

56 of 92 comments (clear)

  1. Re:Woo hoo by Anonymous Coward · · Score: 2, Funny

    But back then being an idiot was actually kinda trendy.

    Have you seen who we elected president?

  2. I hope they improved the UI by hackertourist · · Score: 2

    In the old PW manager, when you click the 'Show Passwords' button, Firefox opens the thoroughly useless dialog "Are you sure you want to show your passwords?"

    Confirmations should be reserved for irreversible actions only, and should offer a way to stop the dialog from appearing.

    1. Re:I hope they improved the UI by queazocotal · · Score: 5, Insightful

      Showing your passwords on screen is an irreversible action if someone is watching your screen, or recording it.

    2. Re:I hope they improved the UI by thegarbz · · Score: 1

      if someone is watching your screen

      Irreversible actions here are based on a system level not based on someone looking over your screen. It is reversible in that you can quickly close the window and get right back to where you were with no change at all on your system.

      Now I'm going to click preview, re-read what I wrote, and then confirm my post because Slashdot doesn't let me edit or delete.

    3. Re:I hope they improved the UI by hackertourist · · Score: 1

      Then the dialog should at least indicate that. As it stands now it is more likely to generate the reaction, "well duh, of course I want to see my passwords. That's why I clicked the button marked 'show passwords', damn it."

    4. Re:I hope they improved the UI by rjune · · Score: 2

      I have a master password set. Firefox requires it to be entered to show passwords. I consider that to be good security measure.

    5. Re:I hope they improved the UI by TheRaven64 · · Score: 1

      The UI is the least of their problems, the big issue is the security architecture. If I compromise a tab that's displaying Slashdot, I should be able to get access to the password for Slashdot (maybe), but definitely not for any other site. With Firefox, the password manager runs in the same address space as all of the tabs and has all of your passwords in memory. A single libpng or libjpg arbitrary code execution vulnerability and a malicious image can expose all of your passwords to an attacker. A single libavcodec or libavformat arbitrary code execution vulnerability and a malicious video or audio file can expose all of your passwords to an attacker. Go and look at the CVE lists for these projects and decide whether you'd trust Firefox with a password...

      --
      I am TheRaven on Soylent News
    6. Re:I hope they improved the UI by UnknowingFool · · Score: 1

      I think one complaint is that it shows you all your passwords and not just a selected password.

      --
      Well, there's spam egg sausage and spam, that's not got much spam in it.
    7. Re:I hope they improved the UI by thegarbz · · Score: 1

      Requiring a password and requiring confirmation for an action that has no lasting effect are not the same thing.

    8. Re:I hope they improved the UI by queazocotal · · Score: 1

      And this is why UI designers that do not think about guidelines needing to be flexible need to be punched in the face really hard.

      Exceptions occur, and choosing to justify default by 'global spec says so' rather than thinking about the actual use-case and doing it differently because it's better for users is not a good thing.

    9. Re: I hope they improved the UI by sound+vision · · Score: 1

      Exactly... Function should dictate UI, not the other way around.

  3. Re:Woo hoo by Anonymous Coward · · Score: 2

    Your signature says it all

  4. Master password is new? by LostOne · · Score: 4, Insightful

    I seem to have been using a master password with Firefox's password manager thing for ages so unless I'm delusional, that's not new functionality. Why is the existence of a semi-functional (can't be reset currently) master password on this "lockbox" thing even an important development? Does it protect something the existing implementation doesn't? Indeed, why do I even need an "improved" password manager when the existing one actually works? (Well, a UI button would be nice on occasion, sure, but that seems a fairly trivial thing to add and wouldn't need any fancy beta/alpha development phase.)

    --

    If it works in theory, try something else in practice.
    1. Re:Master password is new? by rjune · · Score: 3, Interesting

      You are correct, what is described here is not new. What would be useful is being able to sync your passwords on different computers while using a master password. As it now stands, you have to select one feature or the other. That question was not addressed in the linked article.

    2. Re:Master password is new? by ctilsie242 · · Score: 1

      It would be nice to have some added security with data sitting on a cloud provider, so someone who grabs the password database can't just brute-force a password. With some password managers, one can have a sync password that is different from the one used to access the DB, so one can have a 64 character password for that, and a shorter one for access on the local machine. Other password managers require endpoints to be "introduced", and store the database encrypted, with the master key to the DB encrypted to each endpoint's private key. That way, there is no password that can be guessed.

      What I really detest is how utilities like mSecure (and to a lesser extent, 1Password) have moved. Want to use them? You have to use their cloud specific cloud, which has no certifications other than "we use AES-256". If I want to use someone's proprietary cloud for passwords, I would use LastPass which at least has been proven to mitigate attacks with its structure. Who knows how these guys store their DB... it could be stashed in a publically accessible S3 bucket, for all we know.

    3. Re:Master password is new? by Anonymous Coward · · Score: 1

      You can use the master password and firefox password sync feature. I do so without any issue between multiple browsers and operating systems.

      To be clear, the password sync feature protects which clients are allowed to push or pull passwords over an encrypted medium.
      The master password feature protects whether the passwords are stored locally encrypted or not and if a password must be entered to use a password.

      Each browser uses the same email address/password to access sync feature.
      Each browser uses different master password to protect passwords locally. You can choose to use the same or different master password, but that master password is not synchronized.

      If you forget the master password of a single client, you will have to reset your firefox profile, setup a new master password and provide sync email/password.
      If you forget the sync password, you can reset it via your email but you cannot retrieve the passwords. You can however push the existing passwords from another client where you know its master password and it is still setup to sync.
      If you forget the master password of all clients and your sync password, you cannot recover your passwords at all.

    4. Re:Master password is new? by Vairon · · Score: 3, Interesting

      With Mozilla's sync service, which includes password sync, you can run the sync server yourself if you want:

      https://github.com/mozilla-ser...

    5. Re:Master password is new? by ftobin · · Score: 1

      I've been using synced passwords with a master password for 10+ years now, if not longer. Why do you suggest it's not supported?

    6. Re:Master password is new? by Kkloe · · Score: 1

      I have also been using the master password in combination with "saved password editor", why have ui-button to clog more stuff in the bar than have it in the menu as this has?
      https://addons.mozilla.org/en-...

  5. There's the problem by Anonymous Coward · · Score: 1, Funny

    Now I see the problem with Mozilla. They hire engineers instead of software developers.

    It's good that they don't hire programmers, but really they need software developers and not engineers.

  6. Password API by brianerst · · Score: 1

    I'd rather see some sort of Password API that would allow LastPass or Dashlane be the backend (or front end) for Firefox's password cache. The existing functionality of these systems is OK but kind of hackworthy.

    If I generate a password in LastPass, there's only a 30% chance LastPass will actually store that password - it gets confused very easily and suddenly you have a website that has a password that you don't have any more. (My workflow lately is to open a text editor, generate the password, copy it, paste it into the editor, then paste it into the website and update LastPass after everything has changed).

    But Firefox is generally really good at grabbing and storing new and changed passwords. So some version of using Firefox's front-end feeding into LastPass's backend would be perfect (for me).

    I can see the (different) security implications of either a front-end or back-end hook, so I'm not sure if Mozilla would ever implement such a scheme, but some way of integrating third-party password managers in a better way would be nice.

    1. Re:Password API by darkNeko · · Score: 1

      Keepass integration with PassIFox on Firefox works great, but I see it's not for everyone. I preffer to keep my passwords file offline and synchronize it with my own means among devices.

    2. Re:Password API by 93+Escort+Wagon · · Score: 1

      I can see the (different) security implications of either a front-end or back-end hook, so I'm not sure if Mozilla would ever implement such a scheme, but some way of integrating third-party password managers in a better way would be nice.

      Firefox on OS X (aka macOS) has worked this way for years - it ties into the built-in encrypted keychain. It started out as a plugin, but IIRC it's now part of the core (I stopped using Firefox a few years ago, so it's possible I'm remembering incorrectly).

      So it would seem the hooks are already present - it's just a question whether they're written in an extensible way, or if it's a horrible kludge written specifically for the OS X Keychain.

      --
      #DeleteChrome
  7. Re:Woo hoo by e432776 · · Score: 1

    I dunno, seems like important core functionality. Lastpass is popular, and certainly "exciting" to many people. If Mozilla can pull something off that does not involve servers/machines I don't own and control but allows me to share passwords between machines- that would seem pretty news worthy.

  8. Make it accessible outside Firefox by Tester · · Score: 1

    It would be amazing if Firefox's password manager could be used by the new Auto-Fill API on Android so I can use a service I can trust instead of a commercial service like LastPass...

  9. Re:NIH syndrome by squiggleslash · · Score: 1

    | Because Keepass is a third party application that Mozilla cannot just co-opt like that, and in any case Keepass can write their own Firefox extensions to do the integration (if they haven't already.)

    --
    You are not alone. This is not normal. None of this is normal.
  10. Re:To little to late. by pedz · · Score: 1

    I use LastPass too. Do you like the new UI? I'm using Firefox on a Mac. It is horrible compared to what it was before. I'm tempted to find another alternative.

  11. Somewhere Al Gore is pissed by xxxJonBoyxxx · · Score: 1

    >> Lockbox

    Somewhere Al Gore is pissed

    https://www.nbc.com/saturday-night-live/video/cold-opening-gore--bush-first-debate/n11360
    (See 9:00 - end)

  12. Comment removed by account_deleted · · Score: 3, Insightful

    Comment removed based on user account deletion

  13. Needs Keepass, im/export, Sync, APIs, +more by RanceJustice · · Score: 3, Interesting

    While Firefox has a good core password management application, it does need to be refreshed with more than just a new UI. They should keep some of the main features of course, such as bringing back Sync integration for Lockbox; I'm sure that will come in time. However, they can do so much better and go much farther with a new project like Lockbox.

    Assuming they bring back all of the current (as of Firefox 57) features of the default password manager including Sync support natively, its time to start with true improvements. For instance, I use what is now a Legacy addon called Password Exporter - https://addons.mozilla.org/en-... - to import or export into standard .xml or .csv files. This should be a native feature of Firefox's new "Lockbox" ,especially as it is one of the many extensions that at the moment will no longer work at 57, because there is no proper API under WebExtensions to replicate how/what it does! Native support should be better, plus they should also add full encryption of the database as well as obfuscation options.

    This brings me to the really big feature I'd like to see in Lockbox - full integration with other password managers and their APIs, from LastPass and Dashlane that are common but insecure, to SpiderOak's Encryptr, to one of my personal favorites and ideal targets - Keepass (latest gen databases from both Keepass 2.x and KeepassXC etc). I'll focus on Keepass in the discussion from here on, but if a user has a password manager of preference -web based or otherwise - and there is an API for it, it would be nice if Firefox (and other Mozilla products in the future...oh how I wish to see more work on Thunderbird!) would make use of them. Right now, users of Keepass 2.x style .kdbx databases can have some degree of integration with Firefox thanks to addons, from PassIFox to the excellent KeeFox (which has a WebExtensions rewrite under the name "Kee"), allowing Firefox to sidestep the native password manager and instead record to/from Keepass databases. In order to do this, there is need for Keepass clients to support KeepassHTTP (at minimum) or KeepassRPC (which I am to believe is a more secure way of transmitting this info), because there's sort of a required kludge of "reaching over" the native Firefox password manager and whatnot. Lockbox should be developed in such a way to natively support integrating with a Keepass database using multiple secure methodologies. Ideally, once the rest was handled this would support for Firefox Account / Sync to handle syncing an entire .kdbx database if the user wishes to do so, providing an open alternative to the kind of thing that many users do at the moment, such as uploading their database to Google Drive etc. Lockbox could also be designed with handling next-gen open source encryption seamlessly (including things like GnuPG / OpenPGP implementations) which could be useful to say... allow other Mozilla products such as Thunderbird to access ProtonMail securely - something it can't do currently. Likewise, support for HOTP / TOTP / and the recent FidoU2F, along with custom secure PIM storage besides just plain passwords and usernames, could expand functionality.

    There's a lot of potential for an enhanced PW manager with Lockbox. Firefox's current Sync'd password manager is a great feature and one of the few password managers that is both open and easy to use for people who may never have used a password manager in the past yet now find it incredibly useful; I can't tell you how often a family member has been saved from a password reset because they can go into the Firefox Options and browse through their usernames and passwords. Lets hope Lockbox keeps what's great and expands upon it.

  14. Re:NIH syndrome by SScorpio · · Score: 1

    There is a great Keepass extension called KeeFox. Which will promptly stop working in a few weeks when Firefox 57 kills off "legacy" extensions.

  15. Re:NIH syndrome by unrtst · · Score: 1

    Keepass is open source. They could coopt it.
    Keepass 1.x has been ported to just about every platform, and would likely be fairly easy to utilize as the backend storage, and even has API's for accessing the DBs and such.
    Keepass 2.x, while open source, is only available in .Net (C#/C++, can run under windows, via mono on other OS's, or via wine).

    That said, I think there would be little benefit to using it. It would be nice to know I could access the encrypted blob via a separate program, also completely offline, but they could alternatively offer some sort of export or sync or something to other formats, including the keepass 1.x or 2.x format, and that'd be enough for me. AFAICT, they don't offer either of those yet, so I'll stick with my own.

  16. Re:Woo hoo by sexconker · · Score: 1

    Psych!

  17. Re:NIH syndrome by sexconker · · Score: 1

    They are legacy, there is no need to quote the word. The move to WebExtensions is needed to facilitate better security. The current add-in system has free reign to do anything it wants in the browser.

    The move to WebExtensions is needed to copy Chrome and remove a ton of choice and control from users.
    If you're worried about security with NPAPI/XUL/"legacy" plugins, there's a simple solution: DON'T INSTALL MALICIOUS PLUGINS.

  18. Re:Just use the OS password manager! by sexconker · · Score: 1

    Start
    Credential Manager

    Store credentials for automatic logon

    Use Credential Manager to store credentials, such as user names and passwords, in vaults so you can easily log on to computers or websites."

  19. Re:NIH syndrome by SScorpio · · Score: 1

    Give Waterfox a try. I've used it as my daily driver for the last six weeks or so and all extensions are working fine.

  20. Re:NIH syndrome by JackieBrown · · Score: 1

    Like adding pocket instead of just making their own version? I think they probably learned their lesson on that.

  21. Re:NIH syndrome by TheRaven64 · · Score: 1

    That's only half of the solution. The other fix you need is: don't visit malicious web sites. A password manager plugin should be split into one part that maintains the DB and one part that runs in the context of each tab and has access to only the passwords that that tab requires. With the old Firefox extension model, there is no way of doing that (all tabs run in the same context) and so a compromise of one tab will compromise all secret information owned by the extension. There's no way to fix this without a complete redesign.

    --
    I am TheRaven on Soylent News
  22. Re:NIH syndrome by ctilsie242 · · Score: 1

    KeePassXC might be a suitable replacement. I like KeePass's password generator, especially with the fact that it can generate via templates and use input from the keyboard/mouse to supplement the RNG. However, KeePass isn't the only game in town.

  23. Re:NIH syndrome by David_Hart · · Score: 1

    There is a great Keepass extension called KeeFox. Which will promptly stop working in a few weeks when Firefox 57 kills off "legacy" extensions.

    Kee 2.0 is under development and will allow you to continue using KeePass with Firefox and other browsers. At least that's what is being promised.

    https://www.kee.pm/

  24. Re:Just use the OS password manager! by UnknowingFool · · Score: 1

    (I’m assuming even Windows and macOS have password managers for ages now. I haven't checked tough.)

    Then you would assume wrong. Windows has not had a central password manager "for ages" now. MacOS has one integrated with Safari but it does not work directly with other browsers. The integration with Safari means that it detects the presence of a password dialog and suggests a random password for the site that more or less obeys the site rules. If you agree then it saves the password for you if you want. In MacOS the password manager has a feature to externally generate passwords with options to set the rules and difficulty so you could use it manually with other browsers.

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  25. So they knew by ourlovecanlastforeve · · Score: 1

    This seems to imply that Firefox's developers know that their existing password storage mechanism is inadequate yet chose not to tell users until they were well into the development cycle for a replacement.

  26. Re:NIH syndrome by sexconker · · Score: 1

    That's only half of the solution. The other fix you need is: don't visit malicious web sites. A password manager plugin should be split into one part that maintains the DB and one part that runs in the context of each tab and has access to only the passwords that that tab requires. With the old Firefox extension model, there is no way of doing that (all tabs run in the same context) and so a compromise of one tab will compromise all secret information owned by the extension. There's no way to fix this without a complete redesign.

    You still need the "don't visit malicious websites" "fix" regardless of plugins or which browser you use.

    And no, you don't need 2 contexts for extensions. There is one context governing the browser and its extensions - the user's context. If a tab should not be able to reach into an extension and get shit from another tab, the extension should prevent that. Maybe that's exactly what you want to do with that particular extension.

  27. Re:Just use the OS password manager! by Darinbob · · Score: 3, Interesting

    Just don't use a password manager; it's so simple. I don't use the one on OSX, and I try hard to train my mother to not use the browser pssword manager. Her computer has a problem and we find out she literally does not know any of her passwords because she hasn't had to type on in for years; but easy enough to break in to the password file with just few google searches.

    I type in my own passwords manually. I have an encrypted file with the low security passwords (all those "you must register to see our web site" ones). For important passwords at home I have the passwords in a file on a removeable thumb drive, and it is removed immediately after use.

    Yes, it is more inconvenient that way. But security is not convenient! The more convenience you add to security or the more convenience the user takes, the less secure the overall result. This is a fundamental security concept. Users re-uses the same password for convenience and the result is less secure; if the OS offers a one stop storage of passwords for convenience, the less secure it becomes.

    Ie, I know my work has shared plaintext passwords with third parties. In that I got email from an outsourced trianing class, and the email isted the default password for me to login which was identical to a previous work login password I had used. Good operating systems never store or transmit a password but uses a hash instead; so clearly something at work was seriously broken. Using the keystore on my computer would be a mistake in such an environment.

  28. Re:facepalm by CaptainDork · · Score: 1

    Agree.

    I have never used a password manager.

    I have a scheme whereby, when I look at a login page, I can use the address to reconstruct the appropriate password according to a mental algorithm.

    I go back to stories like this one

    LastPass Hacked, Change Your Master Password Now by Eric Ravenscraft, 6/15/15 3:30pm.

    --
    It little behooves the best of us to comment on the rest of us.
  29. Re:NIH syndrome by TheRaven64 · · Score: 1

    The extension can only do that if the tabs are different sandboxes (typically different processes). Firefox does not currently do that and cannot switch to the security model that all other modern browsers including Edge use until they remove the current extensions mechanism.

    --
    I am TheRaven on Soylent News
  30. Re:Just use the OS password manager! by cerberusss · · Score: 1

    For important passwords at home I have the passwords in a file on a removeable thumb drive

    Pffff amateur.

    I have my important passwords engraved on the business end of my 12-gauge sawed-off shotgun. Should the security be an issue, I only have to pull the trigger and bury the body in my back yard.

    --
    8 of 13 people found this answer helpful. Did you?
  31. Re:Just use the OS password manager! by Anonymous Coward · · Score: 2, Insightful

    Security is not inversely correlated with convenience, Quit spreading that myth. What is dangerous is people using short weak, passwords on multiple sites all because they need to remember it. and most browser password managers can be encrypted with a master file, making it almost as secure as, if not just as secure as your usb trick, and the fact that your usb is plugged in for a few moments doesn't mean anything. Its more than enough for your password to be snagged by a trojan or malware. If a virus can compromise a browser password manager, then its already gained access to the actual system and your usb would be just as vulnerable.

  32. Re:NIH syndrome by Anonymous Coward · · Score: 1

    So your solution to your preferred extensions no longer working on a future version of Firefox is to use a completely different browser where none of those extensions work. Got it.

     

  33. Re:NIH syndrome by mattventura · · Score: 1

    Guess what: ANY software I install on my PC has free reign to do whatever it wants with my browser (and the rest of my software too). Rather than crippling admins for the rest of us, just don’t install software (browser admins or otherwise) that you don’t trust.

  34. Re:Better idea for Mozilla by scdeimos · · Score: 1

    Why not just use KeePassX? If your password manager is stored in your browser, that makes it harder to export cross-platform. Also, the browser is the most vulnerable program in the OS; why put all your passwords there?

    Totally this.

    It's common for users, especially in IT circles, to install and use multiple browsers for development, testing or even (still) backwards compatibility for ActiveX controls. Another advantage for KeePass/KeePassX is that it can integrate with all these browsers on Windows, Linux and macOS so you're keeping a single secure password store instead of potentially dozens.

  35. Why not integrate with extant PW managers? by jbn-o · · Score: 1

    Why should a Firefox user want a separate password manager only for the browser, not integrated with the password manager they already have as part of the OS (for those systems that already have password managers)?

    I could see a separate password manager for systems that don't have one, but not integrating with any system (even free systems) ever? I see how reinventing the wheel might be easier for Firefox developers, but how about in terms of what's in the best interest of the user (which, I'm guessing, doesn't mean learning multiple password managers to accomplish the same task)?

    --
    Digital Citizen
  36. Re:Just use the OS password manager! by UnknowingFool · · Score: 1

    I guess you really don't know Firefox as this article was talking about the built-in password manager. Not an extension. Speaking of extension, you are aware the current integration is not going to work after Firefox 57?

    --
    Well, there's spam egg sausage and spam, that's not got much spam in it.
  37. Re:NIH syndrome by SScorpio · · Score: 1

    Thanks for the info. I'll check it out once it's out of beta.

    I'll have to see about my other 80% of the plugins I used that are also "legacy".

  38. Re:NIH syndrome by knorthern+knight · · Score: 1

    > The other fix you need is: don't visit malicious web sites.

    You mean sites like The New York Times, the BBC, MSN, and AOL? https://arstechnica.com/inform...

    Or Forbes? https://www.fireeye.com/blog/t...

    It's gotten so bad that "Mainstream Web Sites Are More Risky than Porn Sites" according to Cisco. https://www.esecurityplanet.co...

    Assume that *EVERY* site you visit is compromised. If your OS/browser combo can't handle that, look at different software.

    --

    I'm not repeating myself
    I'm an X window user; I'm an ex-Windows user
  39. Re:NIH syndrome by TheRaven64 · · Score: 1

    Exactly my point. The Firefox extension model is probably fine for a password manager if you only use it for web sites that you completely control. Anything else? Not so much.

    --
    I am TheRaven on Soylent News