Firefox Lockbox alpha by Mozilla replace built-in password manager - gHacks Tech News

Firefox Lockbox alpha by Mozilla replace built-in password manager

Mozilla revealed a new version of Lockbox today, a password manager extension for desktop versions of the Firefox web browser that replaces the built-in password manager when installed.

Mozilla calls Lockbox an experiment to "test and improve password management and online security".

Lockbox is secured with a Firefox account which offers "newer encryption" according to Mozilla. Lockbox uses AES256-GCM encryption and HMAC SHA-256 "to hash searchable data".

Lockbox for Firefox

firefox lockbox password manager

Lockbox is available as an alpha version. This means that it has several limitations right now that you need to be aware of before you install the extension.

First, there is no importing of passwords from Firefox or other password management solutions.

Second, there is no exporting of password data either, but syncing of date between different Firefox installations is supported as Firefox Sync can be used for that.

The current state of Lockbox makes it unsuitable for production environments, and that becomes true as well when you look at the functionality that is offered currently.

First thing you need to do is sign in using a Firefox account after installing the extension. You can create one if you don't have one yet.

The extension displays the core functionality after the sign in automatically in the interface.

lockbox firefox

The three core features that Lockbox supports at this time are to add login information to the extension, open all saved entries using the toolbar icon, and copy data to sign in from Firefox.

The functionality is quite limited at this point in time. There is no automatic signing in for instance, nor is there auto-filling of data in password fields.

It is necessary right now to click on the toolbar icon, and then on the site in question to copy username and password manually to paste them in to the fields on the site.

firefox lockbox interface

It is recommended that you look through the known issues of the release before you start the installation or upgrade to it.

For instance, existing data from previous Lockbox entries is removed automatically when Lockbox is updated as new security features are added in that version that the last version did not support.

Also, you may want to consider using a separate Firefox Account for Lockbox, as it is currently impossible to unlink accounts.

The team that is responsible for Lockbox plans to add features to the extension. It mentions autofilling, password generation, cloud backup, mobile support and multi-browser support.

Closing Words

Lockbox is in alpha right now, and the development team needs time to create a viable alternative to Firefox's built-in password manager. The extension should support all features of Firefox's native password manager at the very least.

Some users may also want options to save data locally without having to use a Firefox account for that.

Now You: Password management: what do you use, and why?

Summary
Firefox Lockbox alpha by Mozilla replace built-in password manager
Article Name
Firefox Lockbox alpha by Mozilla replace built-in password manager
Description
Mozilla revealed a new version of Lockbox today, a password manager extension for desktop versions of the Firefox web browser that replaces the built-in password manager when installed.
Author
Publisher
Ghacks Technology News
Logo

We need your help

Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.

We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.

If you like our content, and would like to help, please consider making a contribution:

Comments

  1. MarkCB said on December 23, 2017 at 10:39 am
    Reply

    I use Keepass, this doesn’t look at all interesting to me but I’ll keep half an eye on it. My only issue with my current password solution is the sheer number of websites that I use that seem to break auto-type functionality. It seems to be getting worse and worse. Take the 3 sites prior to ghacks I’ve visited this morning: Reddit: fails… Guardian online: fails … Washington Post: fails

    1. PeterZ said on March 5, 2018 at 11:36 am
      Reply

      We need this, BADLY!
      The current password management system is primitive (but works)..
      – must be able to export/import passwords
      – must be able to add login info manually
      – must ditch the 3DES encrypted database in favor of newer, stronger, encryption.

      I personally don’t like using tons of extensions like lastpass and etc. – the Firefox sync can do all the basic stuff we need without giving third party apps access to anything…

      I love the ability to search after a certain password and list all websites that uses-it.

  2. Rko said on December 23, 2017 at 11:06 am
    Reply

    Are you using Kee?
    https://www.kee.pm

  3. P. M. Claarke said on December 23, 2017 at 11:06 am
    Reply

    >It is necessary right now to click on the toolbar icon, and then on the site in question to copy username and password manually to paste them in to the fields on the site.

    No master password and you can access them without any further authentication, in the current state it is not even automatic yet.

    >AES256-GCM encryption and HMAC SHA-256

    This provides no added security at all. Besides addons should never be able to read the internal password storage, not even Moz official addons. The only people who are safe from password theft are those using a master password either way that encrypts the key DB / logins SQLITE.

    What is next? Addons that can change my installed NSS certs? Good job /s

    1. scorpio_green said on December 24, 2017 at 3:01 am
      Reply

      The only people who are safe from password theft are those using a master password either way that encrypts the key DB / logins SQLITE.

      True, but if they manage to hack your one master password, then they have access to everything.

      I suppose you could create a 14 – 16 character password with all the different casings and numbers and special characters, but if I’m just logging into a throwaway forum (or email address) that I could care less about, why would I care whether it’s THAT protected or not?

      Banking and personal information websites are another matter…

      1. P. M. Claarke said on December 24, 2017 at 4:53 pm
        Reply

        >Banking and personal information websites are another matter…

        Well Paypal PW and the paypal-email PW need to be stored in the brain. You would only have to give that out if threatened with a baseball bat to the face. Of course I save everything else like a normal guy. I’m just scared about financial loss.

      2. scorpiogreen said on December 25, 2017 at 1:57 am
        Reply

        Well Paypal PW and the paypal-email PW need to be stored in the brain.

        True, although I doubt most people who use password managers do.

        I’ve never set up a bank account that’s tied in with PayPal. I’d never trust them with my bank’s information.

        I do use a credit card with PayPal which is protected against fraud, but that’s as far as my PayPal use goes.

      3. M3 said on December 25, 2017 at 9:57 pm
        Reply

        If you set a Master Password in Firefox it will be “protected” with 3DES.
        – Mozilla knows exactly that 3DES can be cracked in minutes no matter how long the password is with the proper tool which is available for public use since years.

        The whole Firefox Password Database is a big joke, no one should use the built-in manager! Syncing that database is the dumbest move what you can do.

  4. crambie said on December 23, 2017 at 11:50 am
    Reply

    I had a play a time back and it was hard to tell if it will be any good, plus I wouldn’t really want something tied to one browser.

    I’m using 1password but it seems to be getting worse and worse. They removed the option to use unsigned/unapproved browsers, so no waterfox for example, and it even has trouble with signed ones fairly often (just have to look at all the support posts). I also have enpass for the times 1password doesn’t or stops working. I won’t ever use a cloud manager, there was a good article on NetworkWord why you shouldn’t.

    1. crambie said on December 23, 2017 at 12:27 pm
      Reply

      Just a note, it collects telemetry, seems to about pretty much everything you do.
      https://github.com/mozilla-lockbox/lockbox-extension/blob/master/docs/metrics.md

      1. scorpio_green said on December 24, 2017 at 3:05 am
        Reply

        At least they’re transparent about it.

        Doesn’t sound like very many good solutions out there…

  5. Harushi said on December 23, 2017 at 2:23 pm
    Reply

    I’m using Kepass and Kee Firefox addon, but since Kee moved to WebExtension, it lost the ability to call Keepass if Keepass hasn’t started. So now I have to open Keepass manually when I want to login.

  6. jupe said on December 23, 2017 at 3:00 pm
    Reply

    Copying password to clipboard? that’s totally safe.

    1. dark said on December 23, 2017 at 10:52 pm
      Reply

      Not if clipboard is cloud enabled.

      1. jupe said on December 25, 2017 at 10:00 am
        Reply

        I think you missed my sarcasm

  7. Arcionquad said on December 23, 2017 at 3:41 pm
    Reply

    I’ve used Dashlane since 2013. Works on desktop, mobile, Mac and PC. Clean interface, syncs well, no limit on number of devices.

    1. scorpio_green said on December 24, 2017 at 3:08 am
      Reply

      It’s cloud-based, isn’t it?

  8. Dave said on December 24, 2017 at 3:10 am
    Reply

    Firefox Account /facepalm

    Sometimes I feel like the star of “The Truman Show”.

  9. Clairvaux said on December 24, 2017 at 7:55 am
    Reply

    How would we know about it but for articles such as these ? How does Mozilla inform its users of such developments ?

    1. crambie said on December 24, 2017 at 1:00 pm
      Reply

      It was announced a couple of months back. Can’t remember for sure but think it was in their blog.

    2. Yule said on December 24, 2017 at 8:19 pm
      Reply

      If you paid attention, they always announce feature update in new tab after you updated. Just like what they did to Pocket and Firefox Screenshot.
      Reading the release notes every update also helps
      https://www.mozilla.org/en-US/firefox/57.0.2/releasenotes/

  10. TelV said on December 24, 2017 at 11:36 am
    Reply

    It seems a little odd to me that Martin was able to access the login screen using a disposable email address (yopmail). I was under the impression that in order to open a Firefox account, users had to have a valid email addy. But obviously not.

    Something odd happening this morning on the addons site though. The option to read user reviews about an addon is inaccessible (greyed out). I just created a brand new profile on Basilisk to test whether a config setting or an existing addon was blocking it but I still couldn’t read any user reviews on this one for example: https://addons.mozilla.org/en-US/firefox/addon/no-coin/

    1. TelV said on December 24, 2017 at 5:13 pm
      Reply

      Forget about what I wrote about addon reviews being inaccessible. Somebody pointed out to me later that the link to read them is now located on the left, not on the right.

  11. Eight Inch Floppy said on December 26, 2017 at 10:20 am
    Reply

    e-legged i-legged bowl-legged mozilla

    hahaha Episode 57.2: Unscheduled Circus Upgrades.

    People getting cut training on the effects of putting personal information into a propriatary ecosystem with no upgrade path and what it does to you mental health (shhh quiet, peace, peace), and all while experimenting with sleep deprivation (which backup disc?) and anxiety over loss/ or possible loss.

    “Never use propriatary software unless your willing to lose control and all your data” -Vintage Sysop notes 1996

  12. lock me out said on December 26, 2017 at 8:58 pm
    Reply

    LOCKNESS HAHAHA

    Mozilla CORP. is funnier than ever.

  13. KeZa said on December 27, 2017 at 12:23 pm
    Reply

    I don not trust browser safes or cloud logins to protect my passwords. I use password depot for that and it’s far from the browser or clouds… and also I use AVG safe for putting sensitive information.

    Kz from Belgium

  14. Omega said on December 31, 2017 at 2:49 pm
    Reply

    “Alternative”. No. This IS the replacement for Firefox’s current manager. They’re just developing it outside of the code base.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

Please note that your comment may not appear immediately after you post it.