I store all of my passwords in firefox’s built-in password manager. They auto-fill into websites, sync to my phone, notify me if one appears publicly, and I can generate strong new passwords conveniently. The pw vault is stored encrypted in the cloud as far as I know, but I don’t really know the technical details. I presume that it’s just as secure as using a “proper” manager.
Is there a problem with not using a dedicated password manager? I used to use LastPass but then… I stopped. And at the time I didn’t see anything wrong with just sticking with FF.
Using Firefox is fine right? If so, what’s the benefit of something like BitWarden/etc over the built-in one?
I know the brower managers were trump at one point. Not encrypted and such. bad practices. It might have gotten better but I never got used to using them.
Yes. Running it in browser is far better than not using one at all. But third party is significantly safer, since your browser is trusted with a LOT already.
Browser integration with password managers is overrated. It’s a lot of trouble, breaks all the time, and has security issues. Plus you’re trusting your logins to a third party which makes me sad.
I use a vanilla encrypted DB (KeePass) and just save the logins manually and copy/paste to log in. It’s not that hard.
I stopped using ff’s password manager because they stopped developing it while the other companies kept adding features.
The main feature for me that it was missing was more fillable fields for each entry.
Your browser constantly runs 3rd party code and through its sheer complexity has a big attack surface. Password stealers regularly use flaws or social engineering to steal browser passwords. It is simply safer to use an application whose only function it is to store passwords securely.
Does this extend to also not using browser extensions for password managers?
At least you’re limiting exposure with managers like KeePassXC. The manager runs in a separate process and communicates with the extension via a local connection. You have to approve every password given out by the manager. So a malicious actor can’t just ask for every password under the sun. They could still read the contents of the password field once the extension has filled it if they manage to circumvent the restrictions set by the browser. But that’s no different from when you enter the password manually.
Accessing every password would require a breach of the browser or the extension, right? Because the extension will only fill passwordds with a matching URL, so with the browser must be compromised to provide the wrong URL, or the extension compromised to accept a wrong URL? I am not sure how separating the extension and the manager helps with this?
To get every password, you’d have to exploit the password manager process itself. The manager asks you to approve every single password it hands out and you would know something is wrong if the extension starts asking for lots of passwords.
The separation keeps the memory where the passwords are stored away from the browser. No malicious code executing inside the browser can access it. Also, the protocol between the extension and the manager can be really simple and (hopefully) easy to get right without making exploitable mistakes.
It’s the Swiss cheese principle. The attacker has to break out of the website sandbox, get into the extension to copy the secret keys that are needed to impersonate the extension in the connection to the password manager, and exploit the password manager through that connection in order to get to the passwords. If any step fails (the holes in the cheese slices don’t align), the attack doesn’t get through.
Depends on the extension. If it auto-fills without interaction or caches credentials, it can be tricked into auto-filling credentials. Extensions like the one for KeePassXC only auto-fill after you clicked on the auto-fill icon.
Interestingly, auto-filling can also be more secure than just typing in your credentials, because the extensions will only fill if the site URL matches, where as people can be tricked into thinking they are on a different site.
It’s not auto-fill that is insecure, it’s auto-fill without interaction.
This is the way. I use 1Password and love it.
LastPass is shit now.
Firefox is fine if it’s all you use. I use the Apple Passwords app, because I have all Apple stuff (Macs and an iPhone). It works very well.
You can also use BitWarden. That’s free, it’s open source, and it’s highly regarded. It works whether you use iPhone or Android; whether your computer runs macOS, Linux, or Windows.
You don’t need to pay for a password manager. Anyone who says you do has a vested interest in you spending money (it typically directly relates to them making money), and if they can’t respect you enough to be transparent about it, they don’t deserve your money.
They’ve gotten a lot better. In the past, decrypting browser passwords was basically trivial. It still is by default: make sure you set a master password at a minimum. The consensus is that they’re not as secure as a proper password manager, but almost everyone agrees that it’s better than nothing / not using one.
They’re still relatively low hanging fruit for infostealer malwares and are compromised at significantly higher rates than other managers. Local access is also a problem in most cases. Autofill features have been exploited a lot too, though that can also effect password manager plugins (less so when they require manual interaction). Not using plugins for other managers may also pose a risk, like by moving credentials in the world-readable clipboard instead of a secure link that a plugin would use.
You should probably use a standalone manager but it’s not the end of the world. Just do some simple best-practices: maybe omit your primary auth email and bank creds, use 2fa/opt (don’t store with your passwords) and keep recovery credentials safe and separate.
When it cones to security, you can be endlessly paranoid… Personally I have separate keepass vaults to limit damage by compartmentalized; they autolock after a short time and I keep OTP and recovery credentials in parallel vaults with different passwords never opened on the same machine. I’ve had my devices compromised many times in the past but besides temporarily losing access to an autologin minecraft account and a shared Netflix password, I’ve never lost my vaults or had anything in them compromised so I must be doing something right. The same couldn’t be said when I used a browser password manager 20+ years ago and got a family creditcard stolen by downloading a runescape dragon scimitar cursor…
People who use things like qubes OS can benefit by keeping their managers in separate isolated environments from their applications and passing cress between them. Some people also use dedicated & airgapped devices for credential management.
It really depends on how secure you need to be; what your threat model looks like, and how much convenience you’re willing to sacrifice. I’d recommend following the advice from before, but also using a standalone password manager (Preferably a popular, free, and well-maintained one like keepassxc)
One of the huge benefits of using a third party manager is that your data is more portable! If you wanna use Firefox today, cool. But what if you want to use Safari tomorrow? Or Chrome later? Don’t self vendor lock yourself. I see those built-in OS/browser password managers as traps to prevent you from leaving.
They can export passwords
- Exporting and importing passwords is a time-consuming, annoying process
- There’s no guarantee your exported data will be entirely (or partially) compatible with the destination app
My migration from 1Password to Bitwarden was both of those things.
Vendor lock in doesn’t mean it’s impossible to move. It means there’s a huge burden to move.
Adding to this already good post, a side benefit of a service like Vaultwarden is that you can use the same password management system among all your devices.
Always better.
Malware/info stealers are far more likely to target browser profiles then the many password manager options.
Its a benefit to use something external when a new browser comes out that you want to use instead of FF or if you need some passwords on a device that has no FF. Loosely coupled solutions generally have more flexibility.
You can try KeePassXC and there’s an extension for Firefox that allows you to fill in the password fields, it matches the site with the URL in the KeePassXC entry.
well yes, as I said I’ve used browser extensions for dedicated managers before, and I’m aware of KeePass. But my question is more about whether that’s better somehow than firefox. i.e. more secure/convenient/etc. I ask because in my armchair experience the built-in one is completely fine and idk what the advantage of a dedicated manager is over the built-in one.
The question is two-fold. How secure do you want the password to be determines what system to use.
For example:
Banking - I never store a password or username for these. It’s always one I can remember. The password is lengthy, multi-factor authentification is turned on etc… I don’t trust any system.
Finanial webpages other than banks, , taxes, healthcare, etc, stuff that would hurt me personally if stolen, I use a stand alone password manager.
Anything else goes into Firefox password manager. Stuff I don’t give a fuck about if somebody hacks my password.
Most external password managers have features that the one built into Firefox (or any browser) lack, not least of which is having a separate (encrypted) backup of passwords (a tiny amount of data) independent of a browser profile (often huge).
The next main one is the ability to generate random secure passwords for accounts rather than simply remember the ones you’ve made up yourself.
Edit: It’s been brought to my attention that Firefox can generate a strong random password (feature added 7 years ago, I’ve been under a rock, I guess), but its features seem to be somewhat limited in scope. I couldn’t get it to re-roll a password I didn’t like, nor could I figure out how to tweak the parameters (length, characters allowed, etc.). Mozilla’s own help says “edit it yourself so that it fits the site’s requirements” which seems like a bit of a cop-out.
Though you didn’t ask, PasswordSafe is my preferred choice. (Runs just about anywhere, or so I’m led to believe. I’ve only ever run it on the one computer.)
I don’t even know most of my passwords now. When I’ve accidentally pasted one into the wrong field somewhere, they’ve been practically illegible.
Firefox has the ability to generate random secure passwords. Firefox Sync backs the (encrypted) passwords up automatically, if you set that up to do so.
I stand corrected. I’ve had the “save passwords” feature disabled for a long time due to (largely misplaced) paranoia, and that feature needs to be enabled for it to generate one.
Edited my original comment to reflect my feelings on the implementation.
Firefox doesn’t always generate a password for me. I have never figured out when/why but sometimes it won’t
Have you experienced this with other password managers?
I think (I am not a coder/programmer) that there are a few ways to declare a text entry field is a password field. This tells the browser to replace anything you type with stars. And your password manager is listening for you to access such a field so it can go to work. And some password managers don’t detect all the kinds of password fields.
That’s my guess. Because I’ve had the same experience with both BitWarden and Apple (Passwords app).
I haven’t triee others extensively enough to comment.
Firefox is fine. Benefit of Bitwarden is that you can use the app to also store and fill in password in Android apps.
It’s good for some stuff - it means you get strong unique passwords for sites etc.
BUT
The fact it auto completes basically means that if someone gets access to your phone/computer while it’s logged in, they can log into anything. (A password is normally required to actually VIEW them? - maybe not on desktop!)
I use the built in manager for most days to day stuff, but anything financial or non browser based is stored in keepass. It’s a bit annoying, but way more secure that way.
(short on time, so here’s an overview to answer part of the question)
All password managers that are worth their salt (cryptography pun intended) have to anchor their trust to something, be it the OS’s secret-storing APIs or a piece of hardware like a TPM (typically built into your machine’s motherboard), an HSM (eg Yubikey) device, or an external source of authentication outright (eg a smart card, akin to what the USA Military does). Without any sort of trust anchor, a password manager is little else than a random program that happens to invoke a few cryptographic algorithms. It would be almost trivial for a malicious actor to use a bog-standard debugger like GDB to read the program’s memory and steal the secrets, either after it has been conveniently decrypted by the program or by spying on the program while it performs the cryptographic algorithms.
Since a password manager runs within an OS, meaning that you already have to trust that your OS isn’t an NSA backdoor, it makes sense to rely on the OS for storage of secrets. What the password manager does is provide the frontend for adding/updating secrets from the OS’s store, while also making sure to authenticate the user prior to allowing access to the store of secrets. Once again, this is where hardware modules can come into play, but it can also be done using a main password. That is, you need to unlock the password manager before the secrets it contains are available for use.
Rather conveniently, the OS can also provide this authentication functionality: if you have already successfully logged into the computer, then that’s a form of authentication. The most basic-but-reasonably-secure password manager would use two APIs to offload the difficulty tasks to the OS: the authentication API and the secrets API. That’s the absolute bare minimum.
What Firefox’s password manager provides, by default, is exactly that. But you can choose to upgrade to a Firefox-specific main password, so that if you forget to lock the computer, someone can’t just open Firefox and use your secrets. This is one step above the minimum for a reasonably secure password manager, but it comes with the inconvenience of having to unlock the password manager every time you want to use a secret.
By and large, all password managers make these types of tradeoffs between convenience and additional layers of protection against certain threats. If your machine is inside the vault of Fort Knox and is actively guarded by people with machine guns and a keycard bullet proof door, then Firefox password manager is plenty acceptable.
Whereas a shared home computer in a situation where the disclosure of the secrets would cause a grave problem – eg if an irate person finds that their spouse has a login for the local family court’s online website, which might suggest a forthcoming divorce proceeding – this might make sense to add additional layers. Indeed, some password managers can provide a decoy set of secrets, as a way of forming plausible deniability. If your situation needs plausible deniability, then Firefox’s built-in password manager might not fit the bill.
I want to stress that using any password manager at all is already a massive improvement in security posture, and that any additional features and frills are merely refinements. Some folks are in high-risk situations where they cannot accept the possibility of off-device secrets synchronization, which would rule out Firefox password manager. But if you don’t have such requirements, and if you can trust your OS, then you can also trust Firefox to store and manage secrets.
I have a rule which is that when anyone asserts that something is “more secure” or “more performant”, they need to come with specific evidence for those claims. IMO, those two phrases are often used to “handwave” away any criticism for the asserted position, as a form of thought-termination. I would suggest that you always ask “more secure from what threat?” in response to such empty assertions. If they answer you with a specific scenario, then you can assess for yourself if that even applies to you. If they cannot answer with specificity, then Hitchen’s Razor should apply.
