Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!


Forgot your password?
Firefox Mozilla IT Technology

Firefox To Get a Better Password Manager (bleepingcomputer.com) 92

Catalin Cimpanu, reporting for BleepingComputer: Mozilla engineers have started work on a project named Lockbox that they describe as "a work-in-progress extension [...] to improve upon Firefox's built-in password management." Mozilla released the new extension for employee-use only at first, but users can install it by going to this or this links. Lockbox revamps Firefox's antiquated password management utility with a new user interface (UI). A new Firefox UI button is also included, in case users want to add a shortcut in their browser's main interface to open Lockbox without going through all the menu options. Support for a master password is included, helping users secure their passwords from unauthorized access by co-workers, family members, or others.
This discussion has been archived. No new comments can be posted.

Firefox To Get a Better Password Manager

Comments Filter:
  • by hackertourist ( 2202674 ) on Monday October 30, 2017 @10:12AM (#55457147)

    In the old PW manager, when you click the 'Show Passwords' button, Firefox opens the thoroughly useless dialog "Are you sure you want to show your passwords?"

    Confirmations should be reserved for irreversible actions only, and should offer a way to stop the dialog from appearing.

    • by queazocotal ( 915608 ) on Monday October 30, 2017 @10:17AM (#55457177)
      Showing your passwords on screen is an irreversible action if someone is watching your screen, or recording it.
      • if someone is watching your screen

        Irreversible actions here are based on a system level not based on someone looking over your screen. It is reversible in that you can quickly close the window and get right back to where you were with no change at all on your system.

        Now I'm going to click preview, re-read what I wrote, and then confirm my post because Slashdot doesn't let me edit or delete.

        • And this is why UI designers that do not think about guidelines needing to be flexible need to be punched in the face really hard.

          Exceptions occur, and choosing to justify default by 'global spec says so' rather than thinking about the actual use-case and doing it differently because it's better for users is not a good thing.
      • Then the dialog should at least indicate that. As it stands now it is more likely to generate the reaction, "well duh, of course I want to see my passwords. That's why I clicked the button marked 'show passwords', damn it."

    • by rjune ( 123157 )

      I have a master password set. Firefox requires it to be entered to show passwords. I consider that to be good security measure.

      • Requiring a password and requiring confirmation for an action that has no lasting effect are not the same thing.

    • The UI is the least of their problems, the big issue is the security architecture. If I compromise a tab that's displaying Slashdot, I should be able to get access to the password for Slashdot (maybe), but definitely not for any other site. With Firefox, the password manager runs in the same address space as all of the tabs and has all of your passwords in memory. A single libpng or libjpg arbitrary code execution vulnerability and a malicious image can expose all of your passwords to an attacker. A sin
    • Why should a Firefox user want a separate password manager only for the browser, not integrated with the password manager they already have as part of the OS (for those systems that already have password managers)?

      I could see a separate password manager for systems that don't have one, but not integrating with any system (even free systems) ever? I see how reinventing the wheel might be easier for Firefox developers, but how about in terms of what's in the best interest of the user (which, I'm guessing, doe

  • by LostOne ( 51301 ) on Monday October 30, 2017 @10:18AM (#55457187) Homepage

    I seem to have been using a master password with Firefox's password manager thing for ages so unless I'm delusional, that's not new functionality. Why is the existence of a semi-functional (can't be reset currently) master password on this "lockbox" thing even an important development? Does it protect something the existing implementation doesn't? Indeed, why do I even need an "improved" password manager when the existing one actually works? (Well, a UI button would be nice on occasion, sure, but that seems a fairly trivial thing to add and wouldn't need any fancy beta/alpha development phase.)

    • by rjune ( 123157 ) on Monday October 30, 2017 @11:53AM (#55457617)

      You are correct, what is described here is not new. What would be useful is being able to sync your passwords on different computers while using a master password. As it now stands, you have to select one feature or the other. That question was not addressed in the linked article.

      • It would be nice to have some added security with data sitting on a cloud provider, so someone who grabs the password database can't just brute-force a password. With some password managers, one can have a sync password that is different from the one used to access the DB, so one can have a 64 character password for that, and a shorter one for access on the local machine. Other password managers require endpoints to be "introduced", and store the database encrypted, with the master key to the DB encrypted

      • by Anonymous Coward

        You can use the master password and firefox password sync feature. I do so without any issue between multiple browsers and operating systems.

        To be clear, the password sync feature protects which clients are allowed to push or pull passwords over an encrypted medium.
        The master password feature protects whether the passwords are stored locally encrypted or not and if a password must be entered to use a password.

        Each browser uses the same email address/password to access sync feature.
        Each browser uses differen

      • by ftobin ( 48814 )

        I've been using synced passwords with a master password for 10+ years now, if not longer. Why do you suggest it's not supported?

    • by Kkloe ( 2751395 )
      I have also been using the master password in combination with "saved password editor", why have ui-button to clog more stuff in the bar than have it in the menu as this has?
      https://addons.mozilla.org/en-... [mozilla.org]
  • by Anonymous Coward

    Now I see the problem with Mozilla. They hire engineers instead of software developers.

    It's good that they don't hire programmers, but really they need software developers and not engineers.

  • I'd rather see some sort of Password API that would allow LastPass or Dashlane be the backend (or front end) for Firefox's password cache. The existing functionality of these systems is OK but kind of hackworthy.

    If I generate a password in LastPass, there's only a 30% chance LastPass will actually store that password - it gets confused very easily and suddenly you have a website that has a password that you don't have any more. (My workflow lately is to open a text editor, generate the password, copy it, pa

    • Keepass integration with PassIFox on Firefox works great, but I see it's not for everyone. I preffer to keep my passwords file offline and synchronize it with my own means among devices.
    • I can see the (different) security implications of either a front-end or back-end hook, so I'm not sure if Mozilla would ever implement such a scheme, but some way of integrating third-party password managers in a better way would be nice.

      Firefox on OS X (aka macOS) has worked this way for years - it ties into the built-in encrypted keychain. It started out as a plugin, but IIRC it's now part of the core (I stopped using Firefox a few years ago, so it's possible I'm remembering incorrectly).

      So it would seem the hooks are already present - it's just a question whether they're written in an extensible way, or if it's a horrible kludge written specifically for the OS X Keychain.

  • It would be amazing if Firefox's password manager could be used by the new Auto-Fill API on Android so I can use a service I can trust instead of a commercial service like LastPass...

  • >> Lockbox

    Somewhere Al Gore is pissed

    (See 9:00 - end)
  • by CHK6 ( 583097 ) on Monday October 30, 2017 @12:00PM (#55457645)
    Being a Firefox daily web driver, I am always glad to see new improvements to existing features. Given the toss up third party trust between LastPass and Firefox, I'd go with the Firefox team. If this extension works with Yubikey, I'm 100% in.
  • by RanceJustice ( 2028040 ) on Monday October 30, 2017 @12:03PM (#55457653)

    While Firefox has a good core password management application, it does need to be refreshed with more than just a new UI. They should keep some of the main features of course, such as bringing back Sync integration for Lockbox; I'm sure that will come in time. However, they can do so much better and go much farther with a new project like Lockbox.

    Assuming they bring back all of the current (as of Firefox 57) features of the default password manager including Sync support natively, its time to start with true improvements. For instance, I use what is now a Legacy addon called Password Exporter - https://addons.mozilla.org/en-... [mozilla.org] - to import or export into standard .xml or .csv files. This should be a native feature of Firefox's new "Lockbox" ,especially as it is one of the many extensions that at the moment will no longer work at 57, because there is no proper API under WebExtensions to replicate how/what it does! Native support should be better, plus they should also add full encryption of the database as well as obfuscation options.

    This brings me to the really big feature I'd like to see in Lockbox - full integration with other password managers and their APIs, from LastPass and Dashlane that are common but insecure, to SpiderOak's Encryptr, to one of my personal favorites and ideal targets - Keepass (latest gen databases from both Keepass 2.x and KeepassXC etc). I'll focus on Keepass in the discussion from here on, but if a user has a password manager of preference -web based or otherwise - and there is an API for it, it would be nice if Firefox (and other Mozilla products in the future...oh how I wish to see more work on Thunderbird!) would make use of them. Right now, users of Keepass 2.x style .kdbx databases can have some degree of integration with Firefox thanks to addons, from PassIFox to the excellent KeeFox (which has a WebExtensions rewrite under the name "Kee"), allowing Firefox to sidestep the native password manager and instead record to/from Keepass databases. In order to do this, there is need for Keepass clients to support KeepassHTTP (at minimum) or KeepassRPC (which I am to believe is a more secure way of transmitting this info), because there's sort of a required kludge of "reaching over" the native Firefox password manager and whatnot. Lockbox should be developed in such a way to natively support integrating with a Keepass database using multiple secure methodologies. Ideally, once the rest was handled this would support for Firefox Account / Sync to handle syncing an entire .kdbx database if the user wishes to do so, providing an open alternative to the kind of thing that many users do at the moment, such as uploading their database to Google Drive etc. Lockbox could also be designed with handling next-gen open source encryption seamlessly (including things like GnuPG / OpenPGP implementations) which could be useful to say... allow other Mozilla products such as Thunderbird to access ProtonMail securely - something it can't do currently. Likewise, support for HOTP / TOTP / and the recent FidoU2F, along with custom secure PIM storage besides just plain passwords and usernames, could expand functionality.

    There's a lot of potential for an enhanced PW manager with Lockbox. Firefox's current Sync'd password manager is a great feature and one of the few password managers that is both open and easy to use for people who may never have used a password manager in the past yet now find it incredibly useful; I can't tell you how often a family member has been saved from a password reset because they can go into the Firefox Options and browse through their usernames and passwords. Lets hope Lockbox keeps what's great and expands upon it.

  • This seems to imply that Firefox's developers know that their existing password storage mechanism is inadequate yet chose not to tell users until they were well into the development cycle for a replacement.

Real Programmers don't write in PL/I. PL/I is for programmers who can't decide whether to write in COBOL or FORTRAN.