Firefox Lockbox alpha by Mozilla replace built-in password manager
Mozilla unveiled a new version of Lockbox today, a password manager extension for desktop versions of the Firefox web browser that replaces the built-in password manager when installed.
Mozilla calls Lockbox an experiment to "test and improve password management and online security".
Lockbox is secured with a Firefox account which offers "newer encryption" according to Mozilla. Lockbox uses AES256-GCM encryption and HMAC SHA-256 "to hash searchable data".
Update: Lockbox has been renamed to Lockwise. It is now also available for Google Android and Apple iOS devices.
Lockbox for Firefox
Lockbox is available as an alpha version. This means that it has several limitations right now that you need to be aware of before you install the extension.
First, there is no importing of passwords from Firefox or other password management solutions.
Second, there is no exporting of password data either, but syncing of date between different Firefox installations is supported as Firefox Sync can be used for that.
The current state of Lockbox makes it unsuitable for production environments, and that becomes true as well when you look at the functionality that is offered currently.
First thing you need to do is sign in using a Firefox account after installing the extension. You can create one if you don't have one yet.
The extension displays the core functionality after the sign in automatically in the interface.
The three core features that Lockbox supports at this time are to add login information to the extension, open all saved entries using the toolbar icon, and copy data to sign in from Firefox.
The functionality is quite limited at this point in time. There is no automatic signing in for instance, nor is there auto-filling of data in password fields.
It is necessary right now to click on the toolbar icon, and then on the site in question to copy username and password manually to paste them in to the fields on the site.
It is recommended that you look through the known issues of the release before you start the installation or upgrade to it.
For instance, existing data from previous Lockbox entries is removed automatically when Lockbox is updated as new security features are added in that version that the last version did not support.
Also, you may want to consider using a separate Firefox Account for Lockbox, as it is currently impossible to unlink accounts.
The team that is responsible for Lockbox plans to add features to the extension. It mentions autofilling, password generation, cloud backup, mobile support and multi-browser support.
Closing Words
Lockbox is in alpha right now, and the development team needs time to create a viable alternative to Firefox's built-in password manager. The extension should support all features of Firefox's native password manager at the very least.
Some users may also want options to save data locally without having to use a Firefox account for that.
Now You: Password management: what do you use, and why?
“Alternative”. No. This IS the replacement for Firefox’s current manager. They’re just developing it outside of the code base.
I don not trust browser safes or cloud logins to protect my passwords. I use password depot for that and it’s far from the browser or clouds… and also I use AVG safe for putting sensitive information.
Kz from Belgium
LOCKNESS HAHAHA
Mozilla CORP. is funnier than ever.
e-legged i-legged bowl-legged mozilla
hahaha Episode 57.2: Unscheduled Circus Upgrades.
People getting cut training on the effects of putting personal information into a propriatary ecosystem with no upgrade path and what it does to you mental health (shhh quiet, peace, peace), and all while experimenting with sleep deprivation (which backup disc?) and anxiety over loss/ or possible loss.
“Never use propriatary software unless your willing to lose control and all your data” -Vintage Sysop notes 1996
It seems a little odd to me that Martin was able to access the login screen using a disposable email address (yopmail). I was under the impression that in order to open a Firefox account, users had to have a valid email addy. But obviously not.
Something odd happening this morning on the addons site though. The option to read user reviews about an addon is inaccessible (greyed out). I just created a brand new profile on Basilisk to test whether a config setting or an existing addon was blocking it but I still couldn’t read any user reviews on this one for example: https://addons.mozilla.org/en-US/firefox/addon/no-coin/
Forget about what I wrote about addon reviews being inaccessible. Somebody pointed out to me later that the link to read them is now located on the left, not on the right.
How would we know about it but for articles such as these ? How does Mozilla inform its users of such developments ?
If you paid attention, they always announce feature update in new tab after you updated. Just like what they did to Pocket and Firefox Screenshot.
Reading the release notes every update also helps
https://www.mozilla.org/en-US/firefox/57.0.2/releasenotes/
It was announced a couple of months back. Can’t remember for sure but think it was in their blog.
Firefox Account /facepalm
Sometimes I feel like the star of “The Truman Show”.
I’ve used Dashlane since 2013. Works on desktop, mobile, Mac and PC. Clean interface, syncs well, no limit on number of devices.
It’s cloud-based, isn’t it?
Copying password to clipboard? that’s totally safe.
Not if clipboard is cloud enabled.
I think you missed my sarcasm
I’m using Kepass and Kee Firefox addon, but since Kee moved to WebExtension, it lost the ability to call Keepass if Keepass hasn’t started. So now I have to open Keepass manually when I want to login.
I had a play a time back and it was hard to tell if it will be any good, plus I wouldn’t really want something tied to one browser.
I’m using 1password but it seems to be getting worse and worse. They removed the option to use unsigned/unapproved browsers, so no waterfox for example, and it even has trouble with signed ones fairly often (just have to look at all the support posts). I also have enpass for the times 1password doesn’t or stops working. I won’t ever use a cloud manager, there was a good article on NetworkWord why you shouldn’t.
Just a note, it collects telemetry, seems to about pretty much everything you do.
https://github.com/mozilla-lockbox/lockbox-extension/blob/master/docs/metrics.md
At least they’re transparent about it.
Doesn’t sound like very many good solutions out there…
>It is necessary right now to click on the toolbar icon, and then on the site in question to copy username and password manually to paste them in to the fields on the site.
No master password and you can access them without any further authentication, in the current state it is not even automatic yet.
>AES256-GCM encryption and HMAC SHA-256
This provides no added security at all. Besides addons should never be able to read the internal password storage, not even Moz official addons. The only people who are safe from password theft are those using a master password either way that encrypts the key DB / logins SQLITE.
What is next? Addons that can change my installed NSS certs? Good job /s
The only people who are safe from password theft are those using a master password either way that encrypts the key DB / logins SQLITE.
True, but if they manage to hack your one master password, then they have access to everything.
I suppose you could create a 14 – 16 character password with all the different casings and numbers and special characters, but if I’m just logging into a throwaway forum (or email address) that I could care less about, why would I care whether it’s THAT protected or not?
Banking and personal information websites are another matter…
If you set a Master Password in Firefox it will be “protected” with 3DES.
– Mozilla knows exactly that 3DES can be cracked in minutes no matter how long the password is with the proper tool which is available for public use since years.
The whole Firefox Password Database is a big joke, no one should use the built-in manager! Syncing that database is the dumbest move what you can do.
Well Paypal PW and the paypal-email PW need to be stored in the brain.
True, although I doubt most people who use password managers do.
I’ve never set up a bank account that’s tied in with PayPal. I’d never trust them with my bank’s information.
I do use a credit card with PayPal which is protected against fraud, but that’s as far as my PayPal use goes.
>Banking and personal information websites are another matter…
Well Paypal PW and the paypal-email PW need to be stored in the brain. You would only have to give that out if threatened with a baseball bat to the face. Of course I save everything else like a normal guy. I’m just scared about financial loss.
Are you using Kee?
https://www.kee.pm
I use Keepass, this doesn’t look at all interesting to me but I’ll keep half an eye on it. My only issue with my current password solution is the sheer number of websites that I use that seem to break auto-type functionality. It seems to be getting worse and worse. Take the 3 sites prior to ghacks I’ve visited this morning: Reddit: fails… Guardian online: fails … Washington Post: fails
We need this, BADLY!
The current password management system is primitive (but works)..
– must be able to export/import passwords
– must be able to add login info manually
– must ditch the 3DES encrypted database in favor of newer, stronger, encryption.
I personally don’t like using tons of extensions like lastpass and etc. – the Firefox sync can do all the basic stuff we need without giving third party apps access to anything…
I love the ability to search after a certain password and list all websites that uses-it.