I've recently moved from Lastpass to using Pass[0] & BrowserPass[1], just as convenient and allows me to manage the storing of passwords myself. All files are PGP encrypted. Storing my passwords in my self hosted GIT allows them to be checked out on to my tablet and phone for convenience as well.
I'm not the user you were asking, but just as another perspective:
I've used LastPass for 7 years now. My Premium runs out next month, and I'm planning to switch away and not renew this time. Main reasons I'm switching:
* LastPass was acquired by LogMeIn. I don't know if this has had many major effects yet, but I don't trust them to be in charge of LastPass over the longer term.
* The browser extension (which is the main way to use it) has only gotten worse lately. Some of this is Firefox's fault, but not all of it. Some functions have disappeared, others have gotten harder to use, and both my wife and I have recently had it occasionally "lose" login info for new sites that we've signed up on. That may have been user error, but it never happened to either of us for years and we've both seen it in the last few months.
* They recently doubled the price of LastPass Premium.
not gp, but I did the same thing a few years back (well, lastpass->keepass->pass/git) primarily because I was sick of using a proprietary walled garden.
The main benefit of pass, for me, is that it's literally just gpg-encrypted text files. I can access my passwords even if I do not have pass installed, as long as I have my gpg private key. Using git to sync passwords makes it even better!
The android Password Store app (on f-droid) is a great graphical interface to my pass files, including handling git syncs.
+1 for the Password Store app, I happen to use an Android tablet and an iPhone and the "Pass" app on iPhone works just as well too (and includes touchID).
1) I didn't like that its approach seemed overly complicated (e.g. its database format, client apps, etc)
2) I was having a really hard time synchronizing passwords, especially if there was a sync conflict. When they happened, the entire database was a 'conflict'. There were also issues I had with the actual sync mechanism, which at the time I had the database on a seafile instance and had to enable various 'hacks' in keepass to get it to play nicely (e.g. file locking, etc).
Yes, it was exactly because of that, it could have been any password provider, there was nothing specifically wrong with Lastpass, the only reason I was using them was convenience.
There was a lot of fuss about migrating away from lastpass a while back but I always felt it was someone behind it, wanting to create fear so people would move away from them. Maybe lastpass is actually quite good and there are interests at play who wants people to move to less secure alternatives.
There's a rewrite of pass in Go[1] (because of course there is) that advertises multi user password management as a feature. It uses the same on disk format as pass, so it's compatible with all the addons and browser plugins that pass uses. It's been discussed here previously [2,3].
It is just plain text encrypted files in a GIT repo, so no reason why multiple people couldn't use it, I don't think there would be the ability to have segregation of folders for different people without some tweaks though.
Keepass usage seems pretty widespread. Okay Keepass doesn't integrate too well into browsers. But then why not just fix Keepass?
There have been way too many products pushed out failed utterly and abandoned by mozilla in the last few years. Why should I care about this one, if it doesn't even tell me what it wants to do better than other products.
The text on the website reads like this is simply a POC for a new built-in password manager in firefox, is that correct? But then why standalone?
> There have been way too many products pushed out failed utterly and abandoned by mozilla in the last few years.
Have there? Off the top of my head there's Persona and Firefox OS, the latter of which Mozilla kept trying to push on with long after the rest of the world had concluded it was doomed. Meanwhile we got Rust and Focus out of Mozilla.
Firefox Hello stands out to me as another case of Mozilla stubbornly trying to make something work for much longer than anyone on the outside would have advised. It started as an intern project to demo WebRTC and persisted for 3 years amidst incessant predictions of its doom.
Thunderbird has received continuous development and maintenance for coming up on 15 years since its public release.
1. Browsers are expected to have password management of some sort. Firefox's existing one is rather inadequate from a UX and security standpoint, as recently discussed.
2. Browsers need to be trusted and secure. If you use Firefox, you are trusting Mozilla et. al. to have the policies, procedures, motivations, and expertise to create secure software that protects your privacy. If you can trust them to make your browser, you can trust them to make your password manager.
I do hope that Mozilla answers these questions directly when/before this moves out of beta.
1. Yes but that doesn't answer the standalone question.
2. I do trust Mozilla to have the technical expertise to build a secure password manager. But just because they can do it, still doesn't answer why they're doing it the way they're doing it.
I would just like to hear Mozillas thought process that went into this. I'm sure they have reasons for all decisions, but I can't read thoughts.
Knowing their thought process would help me evaluate my prediction of this being abandon-ware in half a year.
> Browsers are expected to have password management of some sort. Firefox's existing one is rather inadequate from a UX and security standpoint, as recently discussed.
I'd like to see this discussion.
For me, I find Firefox's password manager the only one I can bother using, because it offers a good and seamless UX, right where I need it.
If they "fix" that by making it terrible like Lastpass, I honestly don't know what I'll do.
Concerning the "security standpoint", probably this news [0] is meant. Hashing the password with SHA-1 using 1 iteration may be referred to as "inadequate".
Maybe if the hash were actually being stored, as in a website's accounts database, but SHA-1 is being used here to normalize a variable-length user-supplied password into a fixed-length string which can be used as the key input to an encryption function.
The article approaches this from an angle of an attacker with access to this hash bruteforcing it to obtain the original plaintext password. But as the hash is the encryption key, if an attacker were able to recover it from the encrypted password store blob, it would already be game over.
Applying a more costly hash algorithm would increase the cost of generating guessed encryption keys in a bruteforcing scenario, strengthening weak passwords somewhat. But using a single SHA-1 iteration here doesn't weaken the password security model. A strong password will remain strong.
> 1. Browsers are expected to have password management of some sort.
Having a browser component that can be asked by other browser components to pretty please fill in some secrets seems like a way to increase your attack surface. With an external password manager and no integration there's no internal API to be exploited, short of compromising the whole user, or if you have some sort of application isolation, the whole system.
I've been using KeeFox (now Kee) and I like it. It's not perfect, but it works well with KeePass. That, along with Dropbox syncing, and the app Keepass2Android make it my preferred method for password management.
The KeepassXC browser plugins do not work on many websites. It is absolutely not comparable to the quality of the 1Password plugins.
Currently I am testing Enpass, which works well so far.
Same concern here, that's why I made LockyWindow for Keepass (original). It's a shame there isn't a way to use an interchangable format at the OS level for Macos Keychain, Gnome Keyring, Windows crypto, etc.
If anything, I would have said that KeePass provides too many ways to sync devices...
KeePass has a feature to sync two files, and can access a variety of network storages. That's not one turn-key solution, but it covers just about everything. Meanwhile I simply store the file in my Dropbox because I don't do concurrent edits and it's slightly more convenient that way
Yes but does it sync with Firefox browser directly on Android? I'm using Keepass2Android which is not that convenient. Direct integration in the browser like what Mozilla is doing would be better.
Honest question, but pushing your KeepassXC db into Dropbox shouldn't raise some red flags from a security perspective ? If "somebody" gets your encrypted db, they can rainbowtable the crap out of it to unlock it.
To me it seems by using Dropbox you just add another sizeable attack surface.
To me the entire point of a password manager is to solve password reuse. I can only remember a small number of high-quality passwords. I use one of those to secure my password manager, and I consider that password good enough to be unbreakable even if stored with a simple unsalted hash (and I know KeePass does much better).
I would be comfortable hosting my password file publicly. Any benefits from Dropbox authentication are just defense in depth (and privacy benefits).
They can't. Keepass uses a Salt (and Nonce) for the key derivation. Modern settings also include Argon2 (which I have enabled for my DB), which excludes everything but CPUs from efficient cracking.
The DB attack surface is to some extend expected to be eventually obtained by an attacker. As long as your master password is nice and long, they "can't do shit" for a long long long while.
I use a similar combo (keepssX+keepass touch with Dropbox to sync), and frankly it’s a pain. There is no support at all in KeepassX for Dropbox or other sync methods, and they’re not interested in providing it either, stating that a few triggers to auto synchronise is a viable solution.
Until an open source project takes multi device seriously, they don’t get mainstream adoption.
Have a look at Password Safe. It has an Android version as well as a Windows version (and Linux I think). The Android version has PasswordSafe Synch, which allows it to automatically synchronise your password vault when hosted on a variety of online storage solutions including Dropbox and Google Drive. Plus the Android version has a custom keyboard for entering user name, password, etc... without having to copy/paste.
Dropbox syncs files blindly, but if keepassX has the file open, and it changes, keepass will generate a conflict file, and not notify you in any way.
Their recommended approach to syncing a database is [0]. It’s really counterintuitive, and not trivial, and interacts badly with other features (auto save on change for example).
Love KeepassXC and have been using Keepass2Android for mobile.
I'm using Google Drive for syncing because on Android it allows me to add a shortcut to the file on my home screen. I've never tried syncthing before and just looking into it now, I love that it's open source, not cloud-based, and not using a proprietary protocol.
I'm watching this video[0] overview of it right now that seems to be going pretty in-depth.
Very pleasant and refreshing to see some activity on the OSS front here. I believe Mozilla would have the resources to bring this to a success.
Although naivety aside - I think it'll take years to only slightly catch up with the comfort and usability 1Password already provides. While it's not OSS it is still the benchmark to beat in terms of usability and integration.
Pass[0] is pretty great. GPG encrypted and synced with Git. There is a great cross browser extension called browserpass[1]. I have mine tied to my yubikey, so it needs a physical device to decrypted my passwords.
Doesn't saving each password to it's own individual file make it more breakable than saving everything together in one file?
I presume they're all using the same secret at some level. There's no FAQ on their site.
Thanks, I've already considered switching to Pass once but don't remember what stopped me. May reconsider it again when I have time during my holidays.
The client did not convince me compared to 1Password.
And then you either use their cloud or need to host a .net container yourself - which was a no go for me.
Then I can also stay with 1PW. But a matter of taste of course in the end...
Installed it from the website, logged-in with my Firefox account and got redirected to allizom.org ("Mozilla" spelled backwards!) which has an untrusted certificate. Not a great first experience :(
I'm on 59.0.1 (64-bit) for Ubuntu Artful (from the official repos). This is quite an odd bug, thanks for the link (and the link from the sibling comment). I'll keep an eye on the bug reports :)
I saw this couple of days ago with Mozilla roadmap. But I have been wondering about few things.
1. Why firefox only?
2. Why encryption is limited to Firefox account.
Such lock-in with firefox doesn't make sense to me with Mozilla's vision. If it's due to this being an experiment still that would make sense but that should be made clear I think.
On the website it's explicitly stated to be a test without disturbing people using "Saved Logins". I suspect Lockbox will replace those in the future...
Hmm I read that. And I was wondering if that meant in future that open it up.
Now I'm wondering if this is essentially doing the coding outside core firefox project with the later plan to just integrate it fully into the browser. Almost like an experimental build kind of workflow. I guess that kinda make sense.
Why doesn't mozilla use the KeePass KDBX (4?)[0] format to store the passwords? KeePass is already in use by many including myself and is compatible with a massive ecosystem of software (lots of clients on different platforms [1]).
The only problem they might have is that they want to use the password from one's Firefox account to encrypt the DB, although surely that integration could be worked out somehow?
This looks interesting to finally replace the outdated Firefox password manager. It is especially important as it was recently shown that the protection by the "master password" does not meet modern security standards.
But what exactly is "stand-alone" supposed to mean in this context? At the moment it is distributed as a Firefox extension that replaces the Firefox password manager. This seems like the opposite of "stand-alone" to me, as you cannot use it without Firefox.
You've still got to trust the software doing the encryption, and the other software on your machine that might be able to interact with the software doing the encryption (e.g., browser and other browser add-ons, particularly when using a browser-based client side encryption scheme).
And the hardware - the keyboard, the processor, etc. And the environment - your colleagues, any cameras. In the end, you have to give some trust to some people.
> In this case, the software is open source, so the software can be evaluated.
You enter your password on a page Mozilla serve[0]; they can change the source of that page at any time, and for a single user. They could for example, send your password in the clear back to their servers if they wished.
All of this seems to be very alpha, but it's described as a standalone password manager and as far as I skimmed the docs, the firefox account doesn't necessarily seem to be a requirement. It might be something the extension requires, though.
Mozilla's client-side encryption uses a key which is itself encrypted with your Firefox Account password — and Mozilla serve you the JavaScript used to log into your account, so they can steal your password whenever you log in using your web browser.
There old password-storage system really was secure, but they end-of-lifed it.
But in practice, the higher the visibility of the code you're relying on, the more likely it is that other people have caught something fishy. And POST is higher visibility than lockbox. This is also the reason why even though I trust Mozilla very much, I don't use Sync. It's lower visibility than the vanilla stuff.
That's a much more nuanced point than "don't trust anyone with your passwords." I agree with your reasoning, but that doesn't mean you shouldn't ever trust a password manager. It just means that you should have a high standard for when you should trust one.
Not having a password manager opens up attack surfaces as well. Having a password manager integrated into my browser has prevented me from typing my password into a lookalike site from a different domain. It also means I don't use the same password for any two sites, and the password I use for each site is much stronger than it would otherwise be. There's the potential for the password manager to get compromised, but the benefits seem to outweigh that for now.
So... Did this initiative appear because it came out that Firefox was using an ancient and astoundingly insecure practice for its prior password storage product?
Given Firefox was only 2 years ago so insecure it wasn't even a valid target for most browser pwn competitions, and just in this year we find out important code is still held over from those days, I'm not sure why anyone should trust Firefox.
Seems a bit late to get in the password-manager business, where you have plenty of incumbents (1Password, LastPass, Bitwarden, KeePass...) offering a plethora of features. The Mozilla audience likely overlaps most of the target demographic for such products already, and persuading people to switch will be very hard.
It could make sense if Mozilla were to develop a standard interface for all password managers, so I could swap implementations under the hood without having to deal with their (occasionally half-baked) extensions.
But I guess this is just a Big Rewrite of the venerable utility we've been using since the dawn of Moz.
I'm in the market for this. There are few usable password managers that reliably work on linux, windows, macos equally good. I'm currently moderately happy with pass, but the colleagues I need to share passwords with are not CLI-fans as I am. 1Password doesn't support linux except in the webbased versions and I don't want that. Every time I need to touch Keepass I'd like to burn it. Haven't tried Bitwarden yet.
I'd love an open-source password manager with a modern ui and local storage.
Enpass looks wonderful. Lastpass used to export .csv, but now is only exporting in .html. Enpass imports only the older Lastpass .csv format. I may have to manually enter 280 websites, and 100 lines of secure notes. :( .... I will if I have to.
This is my 3rd year of LastPass, with auto-renewal in July, $24/yr. after $12/yr. for the last (LastPass) 2 years.be worth it Twice as much for something that still works stellarly. Mmmm..., might still be worth it. In the meantime I'd like to tryout Enpass as an alternative. If it works as well as LP, I might as well save $15/yr. with Enpass being as I'll purchase an Android Enpass app for $9.99/yr.
When dropbox launched, we already had a lot of filesync options. It is not too late to add value in the password management business and Mozilla is trusted.
[0] https://www.passwordstore.org/
[1] https://github.com/dannyvankooten/browserpass