Am i missing something, or is this landing page really nothing more than a screenshot and an app button? I know minimal pages are trendy, but that seems like taking it a bit too far.
I think this is wonderful, but I have two concerns.
First, if there isn't a Chrome plugin, it's not going to be of much use to me. I still use Chrome on my laptop (for a multitude of reasons) and if Lockbox doesn't interoperate with it, it's not a useful tool.
Second, I worry about the longetivity of the project. Other than Firefox, Mozilla is not known for their long-term support of consumer products. Persona? Firefox OS? Thunderbird? I don't want to switch to a product that's only going to be retired in a year.
> I still use Chrome on my laptop (for a multitude of reasons) and if Lockbox doesn't interoperate with it, it's not a useful tool.
Well, you can import Chrome passwords into Firefox pretty easily, and set up Firefox Sync, and then you've got all your (Chrome) desktop logins on mobile. Not ideal, but works.
> I don't want to switch to a product that's only going to be retired in a year
Sure, I definitely understand. I've personally worked on Persona, FxOS, Test Pilot, and Screenshots (and now Lockbox). IMO Mozilla has gotten steadily better at shipping new products, and once we get Lockbox integrated into desktop, it'll have really good chances of long-term survival.
Besides, any new startup might go away; at least with Mozilla products, you can be sure we aren't going to do anything sketchy with your data.
Finally, I'll point out that, if you try Lockbox, it'll give Mozilla's management good signals that they should keep investing in Lockbox :-)
Longevity shouldn't be too much of a concern: Lockbox is effectively a client for Firefox Sync, and Sync is a core Firefox product offering.
As for Chrome, since Lockbox is an explicit move to extend Firefox Sync's utility beyond just Firefox, I wouldn't at all be surprised to see a browser extension at some point in the future. However, I have no actual knowledge of the Lockbox team's roadmap. Just seems reasonable. :-)
Heck, all the APIs (and repos) are open, so someone sufficiently motivated could build that right now.
It depends where all your website passwords are. If they’re in Chrome, this app is not for you. The idea behind Lockbox is to make it easier to access (on mobile platforms) the passwords associated with your Firefox account.
I like this move into more consumer type applications from Mozilla. I'd be interested to see some of their newer stuff moving to a subscription model that supports Mozilla, I know you can make recurring donations but it seems like people are more interested in buying a product that supports the organization making it.
Just installed on Android. After syncing to my account it shows "no entries found", even though I have hundreds of saved logins in my Mozilla account.
Tried disconnecting my account in order to re-add it again, and can't find a way to do the latter. It just keeps showing the "Disconnect Firefox Lockbox" button, even though it (presumably) is already disconnected.
Will check back in a couple of months to see if it's more fully-baked. But right now this feels pretty pre-alpha.
This is great feedback. We are currently working on improvements on this specific finding. We'll continue to provide updates to make Firefox Lockbox a better experience. Thanks for trying and testing the app.
As long as it's clearly and openly communicated what telemetry is collected, I'm fine with an app collecting whatever information they want: I get to make the decision on whether I give up that information by (not) installing the app.
This is very nice, especially since I use Firefox as my second password manager (I enabled "save passwords" because it's so handy). All it needs is better management and the ability to store more data in the DB, and I'm sold! OATH would be nice too.
Does this have a value proposition over a standalone manager like Bitwarden? Saying this as an avowed firefox user and fan.
I long ago abandoned browser password managers due to awful security practices like storing passwords in plaintext in my browser profile. Bitwarden is full of features and works everywhere, too.
It's Mozilla, so they should be more trustworthy with your data.
That being said, I agree with your critique. I am a 1Password customer and enjoy the fact that there are two passwords for my account (rendering keyloggers worthless).
What is the state of the art for building privacy conscious backends for applications like this? I really haven't seen a great platform that provides well documented and reasonably designed general purpose APIs for handling both encryption, sync, versioning, and conflict resolution.
There are several alternate implementations for the bitwarden server. Unless my plans change, eventually I plan on deploying this one:
https://github.com/dani-garcia/bitwarden_rs
> What is the state of the art for building privacy conscious backends for applications like this?
This has actually become a core competency of Mozilla thanks to the infrastructure laid out for Firefox, which I think will be leveraged in their product strategy going forward.
I think it is great that Firefox is branching out of just browsers, and making its own ecosystem of products. However, it doesn't seem that necessary. The existing field is already pretty good imo.
I think password management is a good fit for Mozilla. I perceive Mozilla to be trustworthy and competent, and the code for this is open source: https://github.com/mozilla-lockbox
They also generally do a good job with UI, which is not true of all open source solutions. This may not be crucial for devs, but it's crucial if we want to share passwords with the non-devs in our lives.
The main ones I know of are all closed source. Some may not quite be (bitkeeper?) but as far as user controlled pw management goes I think the market is far from saturated
Please let me import from another password manager! There's just too much friction involved in switching if I have to manually import all my existing passwords. And if I can't import them, then I have to keep my old password manager around until I'm sure that I've imported all my old logins by visiting all the sites in case the reset password email is linked to an address I no longer have access to. If I have to do that, there's no point in me switching because I'll never actually be sure I've got all the logins moved over.
Works well on iOS. Integrates as a system-wide auto-fill option, so it works even in native apps.
Real Firefox is forbidden from being in the Apple AppStore, and only AppStore apps are allowed to sync with the iCloud keychain, so this is the next best alternative permissible in Apple's garden.
Firefox is also in the App Store, albeit "real" is a subjective term here since it's forced to use WebKit/WebView (as are all browsers on iOS) if that is what you were alluding to.
The problem with firefox sync is that my search history and bookmarks are synced...which is non optimal when jumping between work and home computers. I use lastpass to sync my passwords..but would consider alternatives...lastpass performance has degraded lately.
This is increasingly my problem with everything that offers syncing.
I left Chrome after Chrome 69's sign-in changes; however innocuous the intent, it unexpectedly left me with bookmarks syncing between work and home machines. Which was privacy-undermining, certainly, but more pressingly made finding anything a tremendous hassle.
Keeping multiple password suites segregated has become increasingly irritating also, particularly when I want access to both suites on one phone. The easiest answer so far has been to use different password management services for different sets, which is an absolutely silly way to choose a tool.
At this point, I'd take any trustworthy browser and password manager with strong tools for controlling where different pieces of information are synced.
I'm in the same boat you are. I'm considering alternatives to Lastpass, mostly because the client has gotten worse over the past few years (since they were picked up by LogMeIn). I don't mind price hikes, but I don't feel as if I've gotten a commensurate increase in the utility or smoothness of the application (though I've certainly noticed an uptick in bugs).
My big thing is the integration of the Yubikey, which is almost mandatory. Bitwarden has this, but their recent security assessment had a showstopper, as far as I'm, concerned:
'BWN-01-010 – Changing the master password does not change encryption keys'
I use Pass[0] with GnuPG and a private git repository for storing encrypted passwords. There is an Android client for it on F-Droid. It is a bit of work to bootstrap it but I like it a lot.
It would be nice if it would support custom sync servers. I'm using a custom sync server with Firefox and therefore Lockbox does does not show any of my passwords after login.
[+] [-] notatoad|7 years ago|reply
[+] [-] floatingatoll|7 years ago|reply
[+] [-] jolmg|7 years ago|reply
[+] [-] dgudkov|7 years ago|reply
[+] [-] philips|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] bastawhiz|7 years ago|reply
First, if there isn't a Chrome plugin, it's not going to be of much use to me. I still use Chrome on my laptop (for a multitude of reasons) and if Lockbox doesn't interoperate with it, it's not a useful tool.
Second, I worry about the longetivity of the project. Other than Firefox, Mozilla is not known for their long-term support of consumer products. Persona? Firefox OS? Thunderbird? I don't want to switch to a product that's only going to be retired in a year.
[+] [-] 6a68|7 years ago|reply
> if there isn't a Chrome plugin, it's not going to be of much use to me
Working on it! We have to get the webextension working in Firefox first, then we'll branch out to other browsers. (Contributors welcome, btw: https://github.com/mozilla-lockbox/lockbox-addon)
> I still use Chrome on my laptop (for a multitude of reasons) and if Lockbox doesn't interoperate with it, it's not a useful tool.
Well, you can import Chrome passwords into Firefox pretty easily, and set up Firefox Sync, and then you've got all your (Chrome) desktop logins on mobile. Not ideal, but works.
> I don't want to switch to a product that's only going to be retired in a year
Sure, I definitely understand. I've personally worked on Persona, FxOS, Test Pilot, and Screenshots (and now Lockbox). IMO Mozilla has gotten steadily better at shipping new products, and once we get Lockbox integrated into desktop, it'll have really good chances of long-term survival.
Besides, any new startup might go away; at least with Mozilla products, you can be sure we aren't going to do anything sketchy with your data.
Finally, I'll point out that, if you try Lockbox, it'll give Mozilla's management good signals that they should keep investing in Lockbox :-)
[+] [-] callahad|7 years ago|reply
As for Chrome, since Lockbox is an explicit move to extend Firefox Sync's utility beyond just Firefox, I wouldn't at all be surprised to see a browser extension at some point in the future. However, I have no actual knowledge of the Lockbox team's roadmap. Just seems reasonable. :-)
Heck, all the APIs (and repos) are open, so someone sufficiently motivated could build that right now.
[+] [-] saagarjha|7 years ago|reply
[+] [-] SimeVidas|7 years ago|reply
[+] [-] piotrkubisa|7 years ago|reply
[+] [-] SilasX|7 years ago|reply
[+] [-] chuckgreenman|7 years ago|reply
[+] [-] StevePerkins|7 years ago|reply
Just installed on Android. After syncing to my account it shows "no entries found", even though I have hundreds of saved logins in my Mozilla account.
Tried disconnecting my account in order to re-add it again, and can't find a way to do the latter. It just keeps showing the "Disconnect Firefox Lockbox" button, even though it (presumably) is already disconnected.
Will check back in a couple of months to see if it's more fully-baked. But right now this feels pretty pre-alpha.
[+] [-] firefox-lockbox|7 years ago|reply
[+] [-] emerongi|7 years ago|reply
As long as it's clearly and openly communicated what telemetry is collected, I'm fine with an app collecting whatever information they want: I get to make the decision on whether I give up that information by (not) installing the app.
[+] [-] saagarjha|7 years ago|reply
[+] [-] StavrosK|7 years ago|reply
[+] [-] ripdog|7 years ago|reply
I long ago abandoned browser password managers due to awful security practices like storing passwords in plaintext in my browser profile. Bitwarden is full of features and works everywhere, too.
[+] [-] unknown|7 years ago|reply
[deleted]
[+] [-] zamalek|7 years ago|reply
That being said, I agree with your critique. I am a 1Password customer and enjoy the fact that there are two passwords for my account (rendering keyloggers worthless).
[+] [-] philips|7 years ago|reply
Textile: https://github.com/textileio/go-textile Based on IPFS so seems like your entire privacy rests in crypto
Bitwarden: https://github.com/bitwarden/server/blob/master/README.md App works well but it doesn't seem like there is interest in making this general purpose, maybe because of the software stack choice?
Standard files: https://standardfile.org/ Standard notes clobbers data if two devices make offline edits :(
[+] [-] jpeeler|7 years ago|reply
[+] [-] mintplant|7 years ago|reply
This has actually become a core competency of Mozilla thanks to the infrastructure laid out for Firefox, which I think will be leveraged in their product strategy going forward.
[+] [-] philips|7 years ago|reply
[+] [-] solarkraft|7 years ago|reply
[+] [-] wyxuan|7 years ago|reply
[+] [-] nathan_long|7 years ago|reply
They also generally do a good job with UI, which is not true of all open source solutions. This may not be crucial for devs, but it's crucial if we want to share passwords with the non-devs in our lives.
[+] [-] JoelMcCracken|7 years ago|reply
[+] [-] newscracker|7 years ago|reply
But there are a few more features that are necessary to make this truly standalone (these comments are based on the iOS version):
- ability to create a Firefox sync account from this app.
- ability to add entries in this app and manage them.
- ability to import credentials from other applications (like 1Password, BitWarden, Lastpass, etc.).
[+] [-] kamarg|7 years ago|reply
[+] [-] azdle|7 years ago|reply
[+] [-] pornel|7 years ago|reply
Real Firefox is forbidden from being in the Apple AppStore, and only AppStore apps are allowed to sync with the iCloud keychain, so this is the next best alternative permissible in Apple's garden.
[+] [-] alimbada|7 years ago|reply
[+] [-] SubiculumCode|7 years ago|reply
[+] [-] Bartweiss|7 years ago|reply
I left Chrome after Chrome 69's sign-in changes; however innocuous the intent, it unexpectedly left me with bookmarks syncing between work and home machines. Which was privacy-undermining, certainly, but more pressingly made finding anything a tremendous hassle.
Keeping multiple password suites segregated has become increasingly irritating also, particularly when I want access to both suites on one phone. The easiest answer so far has been to use different password management services for different sets, which is an absolutely silly way to choose a tool.
At this point, I'd take any trustworthy browser and password manager with strong tools for controlling where different pieces of information are synced.
[+] [-] CtrlAltT5wpm|7 years ago|reply
My big thing is the integration of the Yubikey, which is almost mandatory. Bitwarden has this, but their recent security assessment had a showstopper, as far as I'm, concerned:
'BWN-01-010 – Changing the master password does not change encryption keys'
https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess...
If Bitwarden gets that fixed, I'd jump ship instantly. Otherwise, I may play with Firefox Lockbox and see where that gets me.
[+] [-] darkwinx|7 years ago|reply
[+] [-] ksynwa|7 years ago|reply
[0]: https://www.passwordstore.org/
[+] [-] scotu|7 years ago|reply
I've been burned by dropbox synced keepass password management before...
[+] [-] pornel|7 years ago|reply
[+] [-] philips|7 years ago|reply
[+] [-] 15characterslon|7 years ago|reply
[+] [-] zymhan|7 years ago|reply
[+] [-] unknown|7 years ago|reply
[deleted]