Firefox To Get a Better Password Manager (bleepingcomputer.com) 92
Catalin Cimpanu, reporting for BleepingComputer: Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefox's built-in password management." Mozilla released the new extension for employee-use only at first, but users can install it by going to this or this links. Lockbox revamps Firefox's antiquated password management utility with a new user interface (UI). A new Firefox UI button is also included, in case users want to add a shortcut in their browser's main interface to open Lockbox without going through all the menu options. Support for a master password is included, helping users secure their passwords from unauthorized access by co-workers, family members, or others.
Re: (Score:2, Funny)
But back then being an idiot was actually kinda trendy.
Have you seen who we elected president?
Hoot's law (Score:1)
What's the saying? "Doing the same thing over and over expecting a different result is a sign of insanity". Well, people unhappy with how things have been going, when given an option of the same thing, and something different, wanting a different result, they went with something different.
Hoot’s Law: “No matter how bad things are, you can always make them worse.”
--Hoot Gibson (as recounted by Charles Boldin)
Or, perhaps this quote is more to the point:
"When you say, 'It can’t get any worse!' You're essentially challenging the universe to do exactly that.”
--Kamand Kojouri
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Psych!
I hope they improved the UI (Score:3)
In the old PW manager, when you click the 'Show Passwords' button, Firefox opens the thoroughly useless dialog "Are you sure you want to show your passwords?"
Confirmations should be reserved for irreversible actions only, and should offer a way to stop the dialog from appearing.
Re:I hope they improved the UI (Score:5, Insightful)
Re: (Score:2)
if someone is watching your screen
Irreversible actions here are based on a system level not based on someone looking over your screen. It is reversible in that you can quickly close the window and get right back to where you were with no change at all on your system.
Now I'm going to click preview, re-read what I wrote, and then confirm my post because Slashdot doesn't let me edit or delete.
Re: (Score:2)
Exceptions occur, and choosing to justify default by 'global spec says so' rather than thinking about the actual use-case and doing it differently because it's better for users is not a good thing.
Re: I hope they improved the UI (Score:2)
Re: (Score:2)
Then the dialog should at least indicate that. As it stands now it is more likely to generate the reaction, "well duh, of course I want to see my passwords. That's why I clicked the button marked 'show passwords', damn it."
Re: (Score:2)
Re: (Score:3)
I have a master password set. Firefox requires it to be entered to show passwords. I consider that to be good security measure.
Re: (Score:2)
Requiring a password and requiring confirmation for an action that has no lasting effect are not the same thing.
Re: (Score:2)
Why not integrate with extant PW managers? (Score:2)
Why should a Firefox user want a separate password manager only for the browser, not integrated with the password manager they already have as part of the OS (for those systems that already have password managers)?
I could see a separate password manager for systems that don't have one, but not integrating with any system (even free systems) ever? I see how reinventing the wheel might be easier for Firefox developers, but how about in terms of what's in the best interest of the user (which, I'm guessing, doe
Re: (Score:2)
Re: (Score:2)
There is a great Keepass extension called KeeFox. Which will promptly stop working in a few weeks when Firefox 57 kills off "legacy" extensions.
Re: (Score:2)
They are legacy, there is no need to quote the word. The move to WebExtensions is needed to facilitate better security. The current add-in system has free reign to do anything it wants in the browser.
The move to WebExtensions is needed to copy Chrome and remove a ton of choice and control from users.
If you're worried about security with NPAPI/XUL/"legacy" plugins, there's a simple solution: DON'T INSTALL MALICIOUS PLUGINS.
Re: (Score:2)
Re: (Score:2)
That's only half of the solution. The other fix you need is: don't visit malicious web sites. A password manager plugin should be split into one part that maintains the DB and one part that runs in the context of each tab and has access to only the passwords that that tab requires. With the old Firefox extension model, there is no way of doing that (all tabs run in the same context) and so a compromise of one tab will compromise all secret information owned by the extension. There's no way to fix this without a complete redesign.
You still need the "don't visit malicious websites" "fix" regardless of plugins or which browser you use.
And no, you don't need 2 contexts for extensions. There is one context governing the browser and its extensions - the user's context. If a tab should not be able to reach into an extension and get shit from another tab, the extension should prevent that. Maybe that's exactly what you want to do with that particular extension.
Re: (Score:2)
Re: (Score:2)
> The other fix you need is: don't visit malicious web sites.
You mean sites like The New York Times, the BBC, MSN, and AOL? https://arstechnica.com/inform... [arstechnica.com]
Or Forbes? https://www.fireeye.com/blog/t... [fireeye.com]
It's gotten so bad that "Mainstream Web Sites Are More Risky than Porn Sites" according to Cisco. https://www.esecurityplanet.co... [esecurityplanet.com]
Assume that *EVERY* site you visit is compromised. If your OS/browser combo can't handle that, look at different software.
Re: (Score:2)
Re: (Score:2)
Re: (Score:2)
Give Waterfox a try. I've used it as my daily driver for the last six weeks or so and all extensions are working fine.
Re: (Score:1)
So your solution to your preferred extensions no longer working on a future version of Firefox is to use a completely different browser where none of those extensions work. Got it.
Re: (Score:2)
There is a great Keepass extension called KeeFox. Which will promptly stop working in a few weeks when Firefox 57 kills off "legacy" extensions.
Kee 2.0 is under development and will allow you to continue using KeePass with Firefox and other browsers. At least that's what is being promised.
https://www.kee.pm/ [www.kee.pm]
Re: (Score:2)
Thanks for the info. I'll check it out once it's out of beta.
I'll have to see about my other 80% of the plugins I used that are also "legacy".
Re: (Score:2)
Keepass is open source. They could coopt it. .Net (C#/C++, can run under windows, via mono on other OS's, or via wine).
Keepass 1.x has been ported to just about every platform, and would likely be fairly easy to utilize as the backend storage, and even has API's for accessing the DBs and such.
Keepass 2.x, while open source, is only available in
That said, I think there would be little benefit to using it. It would be nice to know I could access the encrypted blob via a separate program, also completely offli
Re: (Score:2)
KeePassXC might be a suitable replacement. I like KeePass's password generator, especially with the fact that it can generate via templates and use input from the keyboard/mouse to supplement the RNG. However, KeePass isn't the only game in town.
Re: (Score:2)
Like adding pocket instead of just making their own version? I think they probably learned their lesson on that.
Master password is new? (Score:5, Insightful)
I seem to have been using a master password with Firefox's password manager thing for ages so unless I'm delusional, that's not new functionality. Why is the existence of a semi-functional (can't be reset currently) master password on this "lockbox" thing even an important development? Does it protect something the existing implementation doesn't? Indeed, why do I even need an "improved" password manager when the existing one actually works? (Well, a UI button would be nice on occasion, sure, but that seems a fairly trivial thing to add and wouldn't need any fancy beta/alpha development phase.)
Re:Master password is new? (Score:4, Interesting)
You are correct, what is described here is not new. What would be useful is being able to sync your passwords on different computers while using a master password. As it now stands, you have to select one feature or the other. That question was not addressed in the linked article.
Re: (Score:2)
It would be nice to have some added security with data sitting on a cloud provider, so someone who grabs the password database can't just brute-force a password. With some password managers, one can have a sync password that is different from the one used to access the DB, so one can have a 64 character password for that, and a shorter one for access on the local machine. Other password managers require endpoints to be "introduced", and store the database encrypted, with the master key to the DB encrypted
Re:Master password is new? (Score:4, Interesting)
With Mozilla's sync service, which includes password sync, you can run the sync server yourself if you want:
https://github.com/mozilla-ser... [github.com]
Re: (Score:1)
You can use the master password and firefox password sync feature. I do so without any issue between multiple browsers and operating systems.
To be clear, the password sync feature protects which clients are allowed to push or pull passwords over an encrypted medium.
The master password feature protects whether the passwords are stored locally encrypted or not and if a password must be entered to use a password.
Each browser uses the same email address/password to access sync feature.
Each browser uses differen
Re: (Score:2)
I've been using synced passwords with a master password for 10+ years now, if not longer. Why do you suggest it's not supported?
Re: (Score:2)
https://addons.mozilla.org/en-... [mozilla.org]
There's the problem (Score:1, Funny)
Now I see the problem with Mozilla. They hire engineers instead of software developers.
It's good that they don't hire programmers, but really they need software developers and not engineers.
Re: (Score:2)
Start
Credential Manager
Store credentials for automatic logon
Use Credential Manager to store credentials, such as user names and passwords, in vaults so you can easily log on to computers or websites."
Re: (Score:2)
(I’m assuming even Windows and macOS have password managers for ages now. I haven't checked tough.)
Then you would assume wrong. Windows has not had a central password manager "for ages" now. MacOS has one integrated with Safari but it does not work directly with other browsers. The integration with Safari means that it detects the presence of a password dialog and suggests a random password for the site that more or less obeys the site rules. If you agree then it saves the password for you if you want. In MacOS the password manager has a feature to externally generate passwords with options to set the ru
Re: (Score:2)
Re:Just use the OS password manager! (Score:4, Interesting)
Just don't use a password manager; it's so simple. I don't use the one on OSX, and I try hard to train my mother to not use the browser pssword manager. Her computer has a problem and we find out she literally does not know any of her passwords because she hasn't had to type on in for years; but easy enough to break in to the password file with just few google searches.
I type in my own passwords manually. I have an encrypted file with the low security passwords (all those "you must register to see our web site" ones). For important passwords at home I have the passwords in a file on a removeable thumb drive, and it is removed immediately after use.
Yes, it is more inconvenient that way. But security is not convenient! The more convenience you add to security or the more convenience the user takes, the less secure the overall result. This is a fundamental security concept. Users re-uses the same password for convenience and the result is less secure; if the OS offers a one stop storage of passwords for convenience, the less secure it becomes.
Ie, I know my work has shared plaintext passwords with third parties. In that I got email from an outsourced trianing class, and the email isted the default password for me to login which was identical to a previous work login password I had used. Good operating systems never store or transmit a password but uses a hash instead; so clearly something at work was seriously broken. Using the keystore on my computer would be a mistake in such an environment.
Re: (Score:2)
For important passwords at home I have the passwords in a file on a removeable thumb drive
Pffff amateur.
I have my important passwords engraved on the business end of my 12-gauge sawed-off shotgun. Should the security be an issue, I only have to pull the trigger and bury the body in my back yard.
Re: (Score:2, Insightful)
Security is not inversely correlated with convenience, Quit spreading that myth. What is dangerous is people using short weak, passwords on multiple sites all because they need to remember it. and most browser password managers can be encrypted with a master file, making it almost as secure as, if not just as secure as your usb trick, and the fact that your usb is plugged in for a few moments doesn't mean anything. Its more than enough for your password to be snagged by a trojan or malware. If a virus can c
Re: (Score:1)
Password API (Score:2)
I'd rather see some sort of Password API that would allow LastPass or Dashlane be the backend (or front end) for Firefox's password cache. The existing functionality of these systems is OK but kind of hackworthy.
If I generate a password in LastPass, there's only a 30% chance LastPass will actually store that password - it gets confused very easily and suddenly you have a website that has a password that you don't have any more. (My workflow lately is to open a text editor, generate the password, copy it, pa
Re: (Score:1)
Re: (Score:2)
I can see the (different) security implications of either a front-end or back-end hook, so I'm not sure if Mozilla would ever implement such a scheme, but some way of integrating third-party password managers in a better way would be nice.
Firefox on OS X (aka macOS) has worked this way for years - it ties into the built-in encrypted keychain. It started out as a plugin, but IIRC it's now part of the core (I stopped using Firefox a few years ago, so it's possible I'm remembering incorrectly).
So it would seem the hooks are already present - it's just a question whether they're written in an extensible way, or if it's a horrible kludge written specifically for the OS X Keychain.
Make it accessible outside Firefox (Score:2)
It would be amazing if Firefox's password manager could be used by the new Auto-Fill API on Android so I can use a service I can trust instead of a commercial service like LastPass...
Re: (Score:2)
Agree.
I have never used a password manager.
I have a scheme whereby, when I look at a login page, I can use the address to reconstruct the appropriate password according to a mental algorithm.
I go back to stories like this one [lifehacker.com]
LastPass Hacked, Change Your Master Password Now by Eric Ravenscraft, 6/15/15 3:30pm.
Somewhere Al Gore is pissed (Score:2)
Somewhere Al Gore is pissed
https://www.nbc.com/saturday-night-live/video/cold-opening-gore--bush-first-debate/n11360
(See 9:00 - end)
Comment removed (Score:4, Insightful)
Needs Keepass, im/export, Sync, APIs, +more (Score:4, Interesting)
While Firefox has a good core password management application, it does need to be refreshed with more than just a new UI. They should keep some of the main features of course, such as bringing back Sync integration for Lockbox; I'm sure that will come in time. However, they can do so much better and go much farther with a new project like Lockbox.
Assuming they bring back all of the current (as of Firefox 57) features of the default password manager including Sync support natively, its time to start with true improvements. For instance, I use what is now a Legacy addon called Password Exporter - https://addons.mozilla.org/en-... [mozilla.org] - to import or export into standard .xml or .csv files. This should be a native feature of Firefox's new "Lockbox" ,especially as it is one of the many extensions that at the moment will no longer work at 57, because there is no proper API under WebExtensions to replicate how/what it does! Native support should be better, plus they should also add full encryption of the database as well as obfuscation options.
This brings me to the really big feature I'd like to see in Lockbox - full integration with other password managers and their APIs, from LastPass and Dashlane that are common but insecure, to SpiderOak's Encryptr, to one of my personal favorites and ideal targets - Keepass (latest gen databases from both Keepass 2.x and KeepassXC etc). I'll focus on Keepass in the discussion from here on, but if a user has a password manager of preference -web based or otherwise - and there is an API for it, it would be nice if Firefox (and other Mozilla products in the future...oh how I wish to see more work on Thunderbird!) would make use of them. Right now, users of Keepass 2.x style .kdbx databases can have some degree of integration with Firefox thanks to addons, from PassIFox to the excellent KeeFox (which has a WebExtensions rewrite under the name "Kee"), allowing Firefox to sidestep the native password manager and instead record to/from Keepass databases. In order to do this, there is need for Keepass clients to support KeepassHTTP (at minimum) or KeepassRPC (which I am to believe is a more secure way of transmitting this info), because there's sort of a required kludge of "reaching over" the native Firefox password manager and whatnot. Lockbox should be developed in such a way to natively support integrating with a Keepass database using multiple secure methodologies. Ideally, once the rest was handled this would support for Firefox Account / Sync to handle syncing an entire .kdbx database if the user wishes to do so, providing an open alternative to the kind of thing that many users do at the moment, such as uploading their database to Google Drive etc. Lockbox could also be designed with handling next-gen open source encryption seamlessly (including things like GnuPG / OpenPGP implementations) which could be useful to say... allow other Mozilla products such as Thunderbird to access ProtonMail securely - something it can't do currently. Likewise, support for HOTP / TOTP / and the recent FidoU2F, along with custom secure PIM storage besides just plain passwords and usernames, could expand functionality.
There's a lot of potential for an enhanced PW manager with Lockbox. Firefox's current Sync'd password manager is a great feature and one of the few password managers that is both open and easy to use for people who may never have used a password manager in the past yet now find it incredibly useful; I can't tell you how often a family member has been saved from a password reset because they can go into the Firefox Options and browse through their usernames and passwords. Lets hope Lockbox keeps what's great and expands upon it.
So they knew (Score:2)
This seems to imply that Firefox's developers know that their existing password storage mechanism is inadequate yet chose not to tell users until they were well into the development cycle for a replacement.
Re: (Score:2)
Why not just use KeePassX? If your password manager is stored in your browser, that makes it harder to export cross-platform. Also, the browser is the most vulnerable program in the OS; why put all your passwords there?
Totally this.
It's common for users, especially in IT circles, to install and use multiple browsers for development, testing or even (still) backwards compatibility for ActiveX controls. Another advantage for KeePass/KeePassX is that it can integrate with all these browsers on Windows, Linux and macOS so you're keeping a single secure password store instead of potentially dozens.