
Firefox Lockbox - sahin-boydas
https://testpilot.firefox.com/experiments/firefox-lockbox/
======
FullyFunctional
I installed it and will compare it to Lastpass (which is pretty good IMO).
HOWEVER, it saddens me to read on the front page: "using 256-bit encryption".
I'd really expect the competent people at Mozilla to know that this statement
means next to nothing. At the very minimum I want to know:

1) HOW is the key derived (say, "derived used PBKDF2 on the Firefox username +
password")

2) WHERE is it encrypted (I assume "encrypted on the device/end-to-end/zero-
knowledge"). It needs to be clear what the attack vectors are.

3) HOW is the secret managed (say, "Secret is wiped on all application
switches")

and probably more that I forgot.

Using the app, the first thing I noticed is that I have a LOT of duplicate
entries but no obvious way to clean that up.

EDIT: I see most of these details are on
[https://blog.mozilla.org/services/2014/04/30/firefox-
syncs-n...](https://blog.mozilla.org/services/2014/04/30/firefox-syncs-new-
security-model/) but it doesn't change my disappointment in the totally
useless "256-bit encryption" statement. Just say "strong encryption practices"
and provide a link to the details. 8,192 bit encryption doesn't help you if
you don't manage the key well.

~~~
ldayley
I, too, want to know the implementaion details. That said I’ve watched hundred
of eyes gloss over as I emphatically implored lay-persons about password
policies and tools like password managers and Frankly their definition of
‘secure’ can be encapsulated in ‘256-bit encryption’.

An oversight on Mozilla’s part for security-types and engineers, but maybe
they have the masses in mind with this tool & it’s marketing site.

~~~
infogulch
Maybe the ship has sailed, but I would prefer laypersons _not_ associate the
phrase "256-bit encryption" with _anything_ , and would much rather one like
"strong encryption practices" if it's a link to the technical specifications.
They have no basis on which to evaluate what 256 bits of anything actually
mean, so using it as a technical term to throw at their face _intending for
them to latch onto it as a valuable metric is actively harmful_. What if it
said "Strong 256-bit RSA encryption". To you and I that phrase should send off
alarm bells, but a layperson might actually rank that as _more secure_ because
of the added technical jargon. You've just taught them to trust random
technical-sounding security jargon so adding more jargon makes it sound more
better.

It's probably way to late to make any difference here, but I still wish
mozilla could push the boundaries here.

~~~
SubiculumCode
On the other side, is it fair to say 8-bit encryption is NOT secure?

~~~
tracker1
yeah, but if I'm rotating a 256-bit key using XOR, is that really secure? It's
256-bit encryption, but about the weakest thing I could possibly do short of
plain text.

------
drdaeman
I'm disappointed.

Instead of making password management modular, so any password manager capable
of certain queries and operations (KeePass, LastPass, Bitwarden, KWallet/Gnome
Keyring/libsecret, Microsoft Credentials Management API, Apple Keychain, etc)
could become a storage backend with some programming effort... they're doing
the exact opposite - they've created _yet another_ password manager UI and
_yet another_ proprietary data format (Lockbox Data Storage) for that purpose.

Seriously, I doubt many (if anyone) but Mozilla management needs or wants a
Mozilla-branded extra ecosystem, in addition to Google, Apple and Microsoft-
branded ones - yet another piece of software that doesn't interoperate with
anything but its own unique data formats and protocols.

I don't know what others want, but I want a good browser that I can hook up
with things I already use.

~~~
rainbowmverse
We either have different definitions of proprietary, or I'm misunderstanding
something. The format appears to be open and documented.
[https://github.com/mozilla-lockbox/lockbox-
datastore](https://github.com/mozilla-lockbox/lockbox-datastore)

~~~
drdaeman
Different definitions, I guess. I call it proprietary because it's:

\- Unique to Mozilla products. Invented there (disregarding any existing
solutions of the same problem) and no one else uses this.

\- Based on Accounts and Sync I believe this is not a standard at all, just
something that happens to be documented. With FxA&Sync there are a lot of
undocumented subtleties and things sometimes change at whim without any
warnings. If you make an independent implementation, you're bound to be always
catching up, just like it is with any other proprietary protocols.

It's "open" because it's documented and the implementation is FLOSS, but it's
also "proprietary" because effectively, Mozilla is in full and ultimate
control of this stuff.

~~~
annabellish
They are on day one, sure, but if the file format is documented and clear then
there's no reason why other managers couldn't interoperate. It's not as good
as using an existing standard, but I'm not sure there is _an_ existing
standard right now.

~~~
drdaeman
> I'm not sure there is _an_ existing standard right now

I think there is none, except for the OS-provided APIs (but those have
complications of their own, e.g. Chrome had dropped Apple Keychain support for
a reason).

> there's no reason why other managers couldn't interoperate

Why would they? I don't think anyone was invited to this party. And I find it
highly unlikely someone will bother to interoperate beyond implementing an
importer tool, because it's likely that no one wants to spend resources on
alternative implementations just to be in dependent always-catching-up
position.

Seriously, I absolutely don't see how this could become a standard. I've
called it proprietary not to badmouth it, but because it is Mozilla's own,
unique stuff and is very much likely to remain so.

I believe if someone wants to devise a standard for something, they call for
everyone having their in-house implementations, asking if they want to
interoperate. Many won't bother, but some may like the idea. Then, a
specification is written, and conforming implementations follow.

~~~
annabellish
That isn't what proprietary means, though. Every criticism you level at this
file format _can also be levelled at the others_. There's no way around that
at this stage. The only way mozilla could not have caused that problem is to
not have built anything like this.

~~~
drdaeman
> can also be levelled at the others

Password manager storage/exchange formats? Sure, there are no standards at
this point. Arbitrary formats or protocols? Certainly not. Similar cannot be
said about e.g. HTML/CSS or WebDAV or OpenPGP - even though there are enough
incompatibilities, deviations and proprietary extensions.

> The only way mozilla could not have caused that problem is to not have built
> anything like this.

Of course. I don't think anyone needs yet another password manager, for there
are a lot of options already (although many lacking one thing or another, but
it's not like Lockbox is going to be the perfect one).

Mozilla are in touch with standard bodies, like W3C. They are participating in
development various authentication protocols like FIDO2. Surely they can raise
a call for other password management software vendors to devise a common API.
Some would not want one (besides importing into their product), some would
enjoy a capability to concentrate on some parts of the product but leave
others to compatible third-party implementations (e.g. backend/frontend
separation).

It's not a bad thing, of course, to build another password manager. I just
don't see anything good about this, either.

------
aaronkjones
I am curious how it works, technically speaking.

I already have this capability with password-store (pass), that works for
Firefox, Chrome and Safari on destop and mobile.

pass - [https://www.passwordstore.org](https://www.passwordstore.org) (core
program)

passff -
[https://github.com/jvenant/passff](https://github.com/jvenant/passff)
(firefox desktop)

passforios -
[https://mssun.github.io/passforios](https://mssun.github.io/passforios) (ios
w/firefox mobile)

qtpass - [http://qtpass.org](http://qtpass.org) (osx, linux, windows)

~~~
buddylw
OpenKeychain and Password-store (paired with a yubikey) is the entire reason I
use Android over iOS. I really wish there was hardware GPG key solution for
the iphone.

~~~
jopsen
Did you see it's missing a maintainer?

I agree, using gpg on yubikey for password encryption is ideal. My only
problem with it is that nobody makes money, so who is maintaining it?

~~~
rrix2
Capitalism continues to wow the masses

~~~
jopsen
Don't get me wrong I would pay... But there is no attempt to make money from
this.

------
davidrusu
I've been working on this distributed offline-first datastore that uses the
Git protocol as the network layer. I'm calling it GitDB (but the Git trademark
is getting more strictly enforced these days so that'll need to change).

The idea is that we should be able to build tools where the user can
understand and manage where data is stored while at the same time keeping many
of the conveniences of modern apps, like cross-device sync.

As a user, you can decide if you trust Github, Gitlab, Bitbucket, etc. and pay
them to host your data.

The first tool I wanted to build with GitDB was a password manager but seeing
this post made me wonder if there would be enough people who wanted this level
of control over data, does this sound like something you'd be into?

This work is all super early, but would love to gauge the interest from
others.

If someone wants to help build this thing: [https://github.com/the-gitdb-
cooperative/gitdb](https://github.com/the-gitdb-cooperative/gitdb)

~~~
tlb
Pass ([https://www.passwordstore.org/](https://www.passwordstore.org/)) uses
git as a password database in a similar way.

~~~
davidrusu
AFAIK pass won't handle conflicts for you (please correct me if I'm wrong!).

This isn't a big problem for a password manager since conflicting changes are
very uncommon, but for other apps this starts to get more important.

~~~
tlb
It just does what git does. Since every site has its own file containing just
a password, merging conflicts isn't a common issue.

------
neilsimp1
If this is any good I'll be considering it as a replacemnt for Keepass.

A bit off topic, but while looking at this I noticed another expirement -
Firefox Side View. It looks like it lets you have two open tabs side-by-side
in one browser window. This is exactly why I used the Tile Tabs[0] extension
and had to switch to Tile Tabs WE[1] with the Quantum update. I'm happy to see
this coming back without the WE workarounds.

[0]: [https://addons.mozilla.org/en-US/firefox/addon/tile-
tabs/](https://addons.mozilla.org/en-US/firefox/addon/tile-tabs/)

[1]: [https://addons.mozilla.org/en-US/firefox/addon/tile-tabs-
we/](https://addons.mozilla.org/en-US/firefox/addon/tile-tabs-we/)

~~~
awill
I use Android, Linux (at home), and Mac (at work). I switched from KeePass
because the UI was really bad, it seemed dead, and I really didn't want to
move to KeePass 2 (with Mono on Linux). I switched to enpass, and it's been
great. It has native Linux/Mac/Windows apps, a solid Android app (with
fingerprint support), and there's no subscription. It's perfect for my needs.

~~~
jeena
The newest kid on the block is KeePassXC
[https://keepassxc.org](https://keepassxc.org)

~~~
bubblethink
The browser extension leaves a lot to be desired though. I feel that there are
a lot of good standalone password managers, but the ones with good browser
extensions are far fewer. I'm using bitwarden right now, which so far seems to
be the best of the open source ones in terms of usability.

------
pietroglyph
Here's some more in-depth information on the architecture of Lockbox:
[https://lockbox.firefox.com/architecture/](https://lockbox.firefox.com/architecture/)

~~~
motohagiography
I am a fan of the quality of dev the Firefox team has, and am sure they have
thought this through very deeply. For trust and security, it would be helpful
if that were reflected in the specs as well as the final product.

I was the architect for a solution solving a similar problem some years ago,
and then, as apparently now, the key derivation scheme appears to be a bit of
a shell game. Was just reading this and trying to get a picture of how someone
could reason about trusting it. This doc specifies four symmetric keys, where
two are used for encryption, and two are used as salts.

The salts are derivations, which are hashes from data elements

So simply, we have:

FxA credentials: a string or blob to be determined.

f: some function tbd

k_pre: a bootstrapping scheme initialization key.

k_enc: keystore key.

k_salt: a user-bound diversification component

k_item: a key to encrypt an item within the encrypted container, or "lockbox"

Some definitions:

k_pre :=(f(FxA))

k_enc := (f(k_pre))

k_salt := KDF(k_pre, userid, infostring, length)

item := KDF(k_salt, k_enc)

Question is, what is FxA? Best thing could be is an HSM key with a user-bound
diversification component, with some kind of secure provisioning protocol to
get it into the device, but from what I can tell from the docs, there are
still some exercises for the reader.

What wasn't clear on first reading from the architecture was the protocol they
use between where the lockbox is stored, and where its components are used.
When I did this, we used a variation of OCRA to prove possession of correct
keys and their versions and release verifications for "items," (attributes).

The next useful documentation step would describe a sequence like:

A -> B: init msg

B -> A: challenge

A -> B: (userid, key version, HMAC(k_pre, challenge))

B -> B: derives k_pre(userid)+ HMAC, validates

B -> A: challenge'

A -> B: etc...

Not to be a pedant about this stuff, but to be able to reason about the things
we can trust it for, there are some things we can't be handwavy about.

------
dangelov
If I'm already using Firefox on Mac, Windows & iPhone, what advantage does
this bring over just opening the Firefox app on my iPhone and looking in
Settings > Saved logins? Seems to me to be exactly the same, am I missing
anything?

~~~
sametmax
It's faster. It syncs. It's safer than firefox passwords manager. It unlocks
integrates better with the OS (unlock with fingerprints or face). You can use
it for something else than websites.

However, it's still nowhere as convenient as lastpass.

But it's a good first step. I wish them luck.

~~~
larrik
The existing app already syncs, though. "Faster" we'll see. Integration is
probably the main point.

------
owaislone
I would absolutely love to have this on Android and available worldwide.

~~~
abhiminator
I'm betting it's in the works already.

Edit: Yes, can confirm. It is in the works. [0]

[0]
[https://goo.gl/forms/ZwLIfHSGLrYcM6k83](https://goo.gl/forms/ZwLIfHSGLrYcM6k83)
(link from the announcement article)

------
Thriptic
Has anyone done a thoughtful comparison of PW managers?

I moved on from keepass because it was a huge hassle to use, but LastPass and
1password both have some detractors as well.

~~~
rodorgas
I paid a one time license fee of 1Password, then I use it offline on laptop
and iPhone. I sync them through wifi regularly.

This offline use option is not very disclosed on the website but it’s possible
and in my opinion it’s more safe.

I’ve tried open source password apps but the problem it’s they are all from
independent developers. These developers can’t afford security reviews and I
can’t tell if the version on the App Store is the same of the version on
GitHub. If there’s a vulnerability and passwords leak, a company can be
legally responsible, it’s not the same with independent developers.

And it’s not practical to install an app and its updates from source on
iPhone. So I went with the closed source 1Password because it’s a big company
and everybody is looking at them.

~~~
cevn
I'm using 1password the same way as you are. Their linux support is poor
though.

------
bovermyer
This is interesting, and I'm looking forward to seeing where it goes.

However, it's very unlikely to replace Bitwarden for me.

~~~
lern_too_spel
There is a surprising lack of unit tests in Bitwarden, which is mostly
maintained by one person. If Mozilla can apply its rigorous engineering
practices to maintaining an open source password manager with all the features
I use, I will switch from my current system.

~~~
bovermyer
I'll admit that some of the Bitwarden clients are... less reliable than I
would like.

------
tekism
"Test Pilot", "Experiment" are not words I want to see when it comes to my
login credentials.

~~~
gkya
Everything starts out so, so we can wait until it's stable, no?

------
kyoji
Love it. I don't love using LastPass, but I don't want to deal with the rough
edges of KeePass either. Looking forward to the Android app. +1 for autofill
API.

~~~
Tiki
Rough edges in KeePass?

~~~
pdoconnell
The need to use a third party plugin to get any form of cloud sync working for
one. Minor weirdness with it scrolling through your secret share structure on
the left instead of up and down your passwords if you have accidentally
clicked over (a feature that acts more like a bug). The lack of ability (or at
least any documentation) on how to use something like Google Authenticator as
MFA for the database.

~~~
jeena
The external sync is a feature for me, not a bug. I can use whatever tool I
want to sync between my devices (I use Syncthing) and do not need to trust
some company with storing my stuff on their servers and not fiddling with
them.

------
rainbowmverse
Can't believe they didn't call it Lockfox.

~~~
devinreams
Firebox Lockfox? Firelock Boxfox? Lockfire Foxbox? Ugh, we tried them all, I
swear..

~~~
rainbowmverse
Just plain old Lockfox. However, I understand you probably have some
branding/marketing/PR concerns to keep in mind with naming.

~~~
gkya
Lockfox sounds like something that breaks or works around locks to me, fox
being a sneacky tricky animal; not really reassuring.

~~~
rainbowmverse
>> _" fox being a sneacky tricky animal"_

Foxes are good and pure creatures.

~~~
gkya
But it has certain connotations in many cultures, which is not positive. I too
like them and know they aren't a part of our value system, but naming a
_security_ product that is meant to _protect_ your valuable stuff "fox" is
like calling a bank Robbers&co.

~~~
rainbowmverse
That was humor. I'm aware of the centuries of anti-fox propaganda.

------
gervase
From the link, it claims that this "gives access to all the logins you've
saved in Firefox", but I thought it was common knowledge that in-browser
password storage is insecure? [0,1]

If so, then this doesn't really promote much confidence in a product that
appears to be a password manager. If they've addressed this issue, then that
should probably be explicitly stated, although I understand the difficulties
of that from a marketing perspective.

Maybe the reference to 256-bit encryption is a nod to this, with the
expectation that those unfamiliar with the problems wouldn't be familiar with
the differences between plain-text and encrypted storage?

Regardless, I think it's pretty promising that a browser is addressing this
problem head-on, rather than leaving it to third-party companies to solve in a
cross-platform way.

[0]: [https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-
fi...](https://nakedsecurity.sophos.com/2018/03/20/nine-years-on-firefoxs-
master-password-is-still-insecure/) (If you don't use a master password, which
isn't required, I believe?)

[1]: [https://www.wired.com/2016/08/browser-password-manager-
proba...](https://www.wired.com/2016/08/browser-password-manager-probably-
isnt-enough/)

~~~
0942v8653
> in-browser password storage is insecure

> (If you don't use a master password, which isn't required, I believe?)

When using a cloud-synced password vault that lands on the servers of a third
party (this includes Firefox, Google, 1Password, Lastpass, etc.) you must
always assume that the file itself is compromised; the only thing between an
attacker and your passwords is the encryption by your master key.

I seriously doubt that Firefox Lockbox will allow you to cloud-sync your
password file without setting a master password. *

Note: One of the first things malware authors typically go for is the password
vault stored in browsers, but this is only because it is commonly used without
any master key set.

* It might depend on some key derived from your account password, if you haven't observed the requirement of a master key. Not sure.

~~~
zeveb
> I seriously doubt that Firefox Lockbox will allow you to cloud-sync your
> password file without setting a master password.

The current Firefox Accounts protocol simply encrypts a master key with a key
derived from the account password. That's not terrible, although it does mean
that account passwords must be cryptographically strong. However, Firefox
Accounts can be logged into from a webpage which executes JavaScript served
dynamically, which means that Mozilla, a Mozilla employee or any government or
organisation which can compel Mozilla or Mozilla employees can serve targeted
JavaScript to you to steal your master password, and then silently read your
passwords. As such, Firefox accounts cannot be trusted with high-security
passwords.

(Yes, you have to trust Mozilla to run Firefox at all, but it's significantly
easier to hide a single download of a compromised JavaScript file than it is
to hide a compromised Firefox binary served to the world)

~~~
yborg
If you are a likely target for a government entity with subpoena power you
have much bigger problems than your Firefox Accounts password. The
problematical scenario is that Mozilla is remote compromised by some bug or
poor opsec and criminal entities will serve compromised JS. Since this has
literally happened to basically every kind of organization out there, it is
virtually certain to happen to Mozilla.

~~~
drdaeman
The problem is that Mozilla is aware about the issue for years, yet is not
doing anything about it, even though the auth protocol is stable and
documented. Okay, I get it that they may not want to rewrite already working
parts of the browser - but even in this _new_ Lockbox project they're using a
WebView to log in to FxA.

<fud>Maybe they're already breached by highest-profile actors like NSA?</fud>

------
czei002
On problem with password managers (that are using web authentication to
create/manage an account for backing up the password manager in the cloud) is
that the authentication password can be leaked during the authentication
process. For example, the storage provider for password manager backup can
simply read the password from the authentication web page since this web page
is hosted at the provider. This is problematic if the authentication password
is also used to encrypt the password manager, i.e. the provider could decrypt
the password manager with the authentication password. You would actually need
two passwords; one for authentication and one for encryption. Unfortunately,
you usually don't even have the option to choose two passwords.

To solve this problem I'm working on FejoaAuth
([https://fejoa.org/fejoapage/auth.html](https://fejoa.org/fejoapage/auth.html)).
FejoaAuth uses an authentication protocol that does not leak the user password
to the provider who is going to store the password manager. This protocol is
run in a trusted browser plugin in order to ensure the correct execution of
the protocol. Thus you can use a single password for authentication and
password manager encryption.

------
godelski
So can someone expand on this a little? What are the differences between this
and something like LastPass (other than this isn't an add-on). Does it provide
app autofill? Does it prevent the same plain text decoding that browser
password managers typically have? Is this useful? I'm legit asking because I
don't know and would appreciate a security person chiming in.

~~~
sp332
The video shows the password being copied (to a clipboard), so I'm guessing it
doesn't do autofill. Does iOS support autofill apps?

~~~
nyolfen
lastpass on ios autofills if you select it from the safari, uh, box-with-up-
arrow icon from the navigation bar

~~~
sametmax
Op said in apps.

------
jumbopapa
This is seriously great! If the eventual Android app uses the Autofill API
then it would be a good replacement for LastPass or Bitwarden.

------
tlavoie
Nice, will check it out! FF is already my default browser. One question
though, is there a good way to import from other exported sources such as
LastPass or KeepassXC?

------
vxNsr
Does this have safari integration?

Will it support iOS 12 auto fill?

Most importantly, how likely is this gonna disappear after a year or two like
so many other Mozilla side projects?

~~~
LeoNatan25
Most likely. The iOS guys that work on Mozilla apps are pretty tech savvy and
use latest Apple technology.

~~~
devinreams
Yes, us guys and gals working on the app are planning on the iOS 12 autofill
API integration: [https://github.com/mozilla-lockbox/lockbox-
ios/issues/445](https://github.com/mozilla-lockbox/lockbox-ios/issues/445)

~~~
adtac
I think you mean [https://github.com/mozilla-lockbox/lockbox-
ios/issues/486](https://github.com/mozilla-lockbox/lockbox-ios/issues/486) :)

~~~
devinreams
Yes, thank you! Moving too fast today. :)

------
jeena
I wonder if it also works with the self hosted firefox sync server or if they
forgot to add a UI to change the URL to the sync server.

------
bonsai80
Are Firefox passwords encrypted on the client? I currently use (any pay for)
Bitwarden and I like that the code is open and my data is encrypted on the
client and only synced with the server. I'd like a similar service from
Mozilla, but don't know how the encryption is handled.

~~~
sciurus
Yes, they are encrypted on the client.

[https://blog.mozilla.org/services/2014/04/30/firefox-
syncs-n...](https://blog.mozilla.org/services/2014/04/30/firefox-syncs-new-
security-model/)

[https://github.com/mozilla/fxa-auth-server/wiki/onepw-
protoc...](https://github.com/mozilla/fxa-auth-server/wiki/onepw-protocol)

------
zokier
One of the ideas I had once was to build a client for Firefox Sync, either as
a plugin for Keepass or as a native standalone application (that could
possibly sync with Keepass database). While this does not exactly match such
use, it kinda still is a step towards that direction.

------
bryanrasmussen
I am considering this but worry that mozilla has a history of shutting down
initiatives and products.

~~~
bscphil
A history of shutting down site-identity related products, no less. [1] The
fact that it's not on Android as of day one looks pretty bad too; the sort of
developers who think iOS obviously comes first are (in my experience) likely
to be chasing hype and their apps are dead in a year (or at least still not on
Android). I don't know if that's the case here, but I have no interest in
using this until it's been adopted by Mozilla as more than an experiment and
has several years of strong support.

[1] [https://developer.mozilla.org/en-
US/docs/Archive/Mozilla/Per...](https://developer.mozilla.org/en-
US/docs/Archive/Mozilla/Persona)

(I admit I'm biased here but I'm still bitter about them nixing Persona.)

------
CodeXs
I was under the impression that the password manager for Firefox had some
security issues.

~~~
sametmax
Yes, that's why it's not using it. It's only importing from it.

Firefox password manager is also getting a revamping, which probably is a
sister project to this one.

~~~
CodeXs
Thanks for the thoughtful reply

------
hartator
I wonder if the passwords are encrypted from end-to-end.

I am not very confortable having my passwords in plaintext, even on Mozilla
servers.

~~~
driminicus
I haven't looked in to it, as I'm not an ios user, but Mozilla would be very
stupid if this isn't end to end encrypted. And as far as I know Mozilla
typically isn't stupid.

~~~
hartator
`will sync to the app using 256-bit encryption` is not very reassuring. It
seems to be regular SSL without a master key.

------
known
It's easy if Firefox directly activates Sync instead of sending a Confirmation
link to registered email a/c

------
ddoolin
For me, 1Password has taken care of this space for years, so I'm curious how
this will compare.

~~~
trash_panda
It could be shipped by default with Firefox, facilitating user adoption. Also,
free.

------
have_faith
Is this a Firefox password manager or a general password manager with
integration with Firefox? Should I expect to be able to replace 1Password with
it for instance. If I can't then I have no motivation to have two password
managers.

Unrelated, does this page implement it's own custom scrolling? I get some
weird rendering bugs when scrolling too, very stuttery.

~~~
GranPC
It's a way to access your data stored in Firefox's internal password manager.

------
_verandaguy
Does this have any advantages over an out-of-band system like KeePass/2/X/CX?

~~~
sametmax
Sync, integration, simpler UI, portability and better ergonomics.

I use both lastpass and keepass, but keepass is really disliked by the non
geeks around me.

------
nkkollaw
Why not integrate it with the mobile browser like Chrome does on Android?

Am I missing something?

~~~
firefox-lockbox
Firefox on iOS provides an integrated experience for logins and filling those
logins into browser forms automatically.

The team is currently working on autofill from Lockbox into other apps:
[https://github.com/mozilla-lockbox/lockbox-
ios/issues/486](https://github.com/mozilla-lockbox/lockbox-ios/issues/486).
This will only be available in iOS12 when that ships.

Are there other kinds of integration you see as valuable?

------
vl-y
I'd like they go with TypeScript rather than just pure JavaScript.

------
mimsee
The iOS app seems to be region-locked to U.S. only App Store.

~~~
devinreams
Only for now. This is just the beginning of an experimental product and we're
hoping to bring it far and wide later.

Other than "every", what language or regions would you want/expect/need first?

~~~
jorams
Honestly, the region shouldn't matter. If you want you could add a little
notice that it's English-only for now, but there's absolutely no reason to
limit this to a particular country. It's a totally free service and it doesn't
involve complicated region-specific licensing agreements, so where someone
lives quite simply does not matter.

------
test6554
Is the firefox lockbox for hot stocks?

------
jonny_eh
A chrome extension would be great!

~~~
devinreams
We hear ya and we're thinking about it. But, it would be a while before we
started to build one. An Android app is up next up on our list...

------
wemdyjreichert
Insert Al Gore joke here

