
Lockbox – A stand-alone password manager that works with Firefox for desktop - doppp
https://mozilla-lockbox.github.io/
======
cajdavidson
I've recently moved from Lastpass to using Pass[0] & BrowserPass[1], just as
convenient and allows me to manage the storing of passwords myself. All files
are PGP encrypted. Storing my passwords in my self hosted GIT allows them to
be checked out on to my tablet and phone for convenience as well.

[0] [https://www.passwordstore.org/](https://www.passwordstore.org/)

[1]
[https://github.com/dannyvankooten/browserpass](https://github.com/dannyvankooten/browserpass)

~~~
freedomben
Did you move away from Lastpass for any reasons other than self-
storage/management of passwords?

Anecdotally it seems like a lot of people are losing trust in Lastpass. Just
curious if this describes you as well.

~~~
craftyguy
not gp, but I did the same thing a few years back (well,
lastpass->keepass->pass/git) primarily because I was sick of using a
proprietary walled garden.

The main benefit of pass, for me, is that it's literally just gpg-encrypted
text files. I can access my passwords even if I do not have pass installed, as
long as I have my gpg private key. Using git to sync passwords makes it even
better!

The android Password Store app (on f-droid) is a great graphical interface to
my pass files, including handling git syncs.

~~~
0xfeba
Why did you move from keepass?

~~~
craftyguy
Two reasons:

1) I didn't like that its approach seemed overly complicated (e.g. its
database format, client apps, etc)

2) I was having a really hard time synchronizing passwords, especially if
there was a sync conflict. When they happened, the entire database was a
'conflict'. There were also issues I had with the actual sync mechanism, which
at the time I had the database on a seafile instance and had to enable various
'hacks' in keepass to get it to play nicely (e.g. file locking, etc).

------
lawl
This site doesn't answer the question 'why'.

Keepass usage seems pretty widespread. Okay Keepass doesn't integrate too well
into browsers. But then why not just fix Keepass?

There have been way too many products pushed out failed utterly and abandoned
by mozilla in the last few years. Why should I care about this one, if it
doesn't even tell me what it wants to do better than other products.

The text on the website reads like this is simply a POC for a new built-in
password manager in firefox, is that correct? But then why standalone?

~~~
mastax
1\. Browsers are expected to have password management of some sort. Firefox's
existing one is rather inadequate from a UX and security standpoint, as
recently discussed.

2\. Browsers need to be trusted and secure. If you use Firefox, you are
trusting Mozilla et. al. to have the policies, procedures, motivations, and
expertise to create secure software that protects your privacy. If you can
trust them to make your browser, you can trust them to make your password
manager.

I do hope that Mozilla answers these questions directly when/before this moves
out of beta.

~~~
josteink
> Browsers are expected to have password management of some sort. Firefox's
> existing one is rather inadequate from a UX and security standpoint, as
> recently discussed.

I'd like to see this discussion.

For me, I find Firefox's password manager the _only_ one I can bother using,
because it offers a good and seamless UX, right where I need it.

If they "fix" that by making it terrible like Lastpass, I honestly don't know
what I'll do.

~~~
akquise
> I'd like to see this discussion.

Concerning the "security standpoint", probably this news [0] is meant. Hashing
the password with SHA-1 using 1 iteration may be referred to as "inadequate".

[0] [https://www.bleepingcomputer.com/news/security/firefox-
maste...](https://www.bleepingcomputer.com/news/security/firefox-master-
password-system-has-been-poorly-secured-for-the-past-9-years/)

~~~
mintplant
Maybe if the hash were actually being stored, as in a website's accounts
database, but SHA-1 is being used here to normalize a variable-length user-
supplied password into a fixed-length string which can be used as the key
input to an encryption function.

The article approaches this from an angle of an attacker with access to this
hash bruteforcing it to obtain the original plaintext password. But as the
hash is the encryption key, if an attacker were able to recover it from the
encrypted password store blob, it would already be game over.

Applying a more costly hash algorithm would increase the cost of generating
guessed encryption keys in a bruteforcing scenario, strengthening weak
passwords somewhat. But using a single SHA-1 iteration here doesn't _weaken_
the password security model. A strong password will remain strong.

------
ealhad
I use KeePassXC [1] with Syncthing [2] to synchronize my passwords between
machines.

[1] : [https://keepassxc.org/](https://keepassxc.org/)

[2] : [https://syncthing.net/](https://syncthing.net/)

~~~
maccard
I use a similar combo (keepssX+keepass touch with Dropbox to sync), and
frankly it’s a pain. There is no support at all in KeepassX for Dropbox or
other sync methods, and they’re not interested in providing it either, stating
that a few triggers to auto synchronise is a viable solution.

Until an open source project takes multi device seriously, they don’t get
mainstream adoption.

~~~
slavik81
I don't understand what "Dropbox support" is. Dropbox will sync any file.

~~~
jhasse
I'd guess merge support in case of conflict and web GUI access.

~~~
maccard
No, keepass’s recommended approach is a total PITA to set up, and completely
non-intuitive [0].

[0]
[https://keepass.info/help/kb/trigger_examples.html#dbsync](https://keepass.info/help/kb/trigger_examples.html#dbsync)

------
binaryanomaly
Very pleasant and refreshing to see some activity on the OSS front here. I
believe Mozilla would have the resources to bring this to a success. Although
naivety aside - I think it'll take years to only slightly catch up with the
comfort and usability 1Password already provides. While it's not OSS it is
still the benchmark to beat in terms of usability and integration.

Good luck Mozilla!

~~~
bhhaskin
Pass[0] is pretty great. GPG encrypted and synced with Git. There is a great
cross browser extension called browserpass[1]. I have mine tied to my yubikey,
so it needs a physical device to decrypted my passwords.

[0] [https://www.passwordstore.org/](https://www.passwordstore.org/)

[1]
[https://github.com/dannyvankooten/browserpass#readme](https://github.com/dannyvankooten/browserpass#readme)

~~~
fatbob
Doesn't saving each password to it's own individual file make it more
breakable than saving everything together in one file? I presume they're all
using the same secret at some level. There's no FAQ on their site.

------
alexghr
Installed it from the website, logged-in with my Firefox account and got
redirected to allizom.org ("Mozilla" spelled backwards!) which has an
untrusted certificate. Not a great first experience :(

~~~
cpeterso
What Firefox version are you running? This sounds like Firefox bug 1411646,
which should have been fixed in Firefox 58:

[https://bugzilla.mozilla.org/show_bug.cgi?id=1411646](https://bugzilla.mozilla.org/show_bug.cgi?id=1411646)

~~~
alexghr
I'm on 59.0.1 (64-bit) for Ubuntu Artful (from the official repos). This is
quite an odd bug, thanks for the link (and the link from the sibling comment).
I'll keep an eye on the bug reports :)

------
tmd83
I saw this couple of days ago with Mozilla roadmap. But I have been wondering
about few things.

1\. Why firefox only? 2\. Why encryption is limited to Firefox account.

Such lock-in with firefox doesn't make sense to me with Mozilla's vision. If
it's due to this being an experiment still that would make sense but that
should be made clear I think.

~~~
zaarn
On the website it's explicitly stated to be a test without disturbing people
using "Saved Logins". I suspect Lockbox will replace those in the future...

~~~
tmd83
Hmm I read that. And I was wondering if that meant in future that open it up.

Now I'm wondering if this is essentially doing the coding outside core firefox
project with the later plan to just integrate it fully into the browser.
Almost like an experimental build kind of workflow. I guess that kinda make
sense.

------
floatingatoll
Please take note of the “experimental” label on this open source repository,
which is posted to HN every few weeks. Previously:

[https://news.ycombinator.com/item?id=15992762](https://news.ycombinator.com/item?id=15992762)
[https://news.ycombinator.com/item?id=15997239](https://news.ycombinator.com/item?id=15997239)
[https://news.ycombinator.com/item?id=15832879](https://news.ycombinator.com/item?id=15832879)
[https://news.ycombinator.com/item?id=15596740](https://news.ycombinator.com/item?id=15596740)

------
pmulv
I didn't know what Mozilla Lockbox was, but I found this[0] which might help
others.

[0] - [https://mozilla-lockbox.github.io/lockbox-extension/](https://mozilla-
lockbox.github.io/lockbox-extension/)

------
raimue
This looks interesting to finally replace the outdated Firefox password
manager. It is especially important as it was recently shown that the
protection by the "master password" does not meet modern security standards.

But what exactly is "stand-alone" supposed to mean in this context? At the
moment it is distributed as a Firefox extension that replaces the Firefox
password manager. This seems like the opposite of "stand-alone" to me, as you
cannot use it without Firefox.

------
conradev
> The Lockbox extension is a simple, stand-alone password manager that works
> with Firefox for desktop

So it's stand-alone, but I need Firefox to use it?

~~~
333c
I think they mean that it isn't baked in to Firefox. But I agree that that's a
weird choice of wording.

------
Flimm
Does this offer any password-sharing features? Can you share some passwords
with other Mozilla/Firefox accounts?

~~~
cpeterso
Not yet. Lockbox's stored passwords will be integrated with Firefox Accounts
sync before it is released.

------
fwdpropaganda
Remember kids, don't trust anyone with your passwords, not even Mozilla.

That said, I enjoyed having a look at Mozilla's internal project management
tool for this extension, [https://waffle.io/mozilla-lockbox/lockbox-
extension](https://waffle.io/mozilla-lockbox/lockbox-extension)

I wish I could have the same kind of look into other company's projects.

~~~
blowski
“Don’t trust anyone” is a bit strong, and probably counterproductive. Be
careful whom you trust is better.

~~~
ealhad
Doesn’t client-side encryption effectively suppress the need to trust a third-
party?

Edit : I wasn't referring to this specific case, where encryption is done with
the code sent by a server.

~~~
bonyt
You've still got to trust the software doing the encryption, and the other
software on your machine that might be able to interact with the software
doing the encryption (e.g., browser and other browser add-ons, particularly
when using a browser-based client side encryption scheme).

~~~
Xylakant
In this case, the software is open source, so the software can be evaluated.

~~~
zeveb
> In this case, the software is open source, so the software can be evaluated.

You enter your password on a page Mozilla serve[0]; they can change the source
of that page at any time, and for a single user. They could for example, send
your password in the clear back to their servers if they wished.

0: [https://www.mozilla.org/en-
US/firefox/accounts/](https://www.mozilla.org/en-US/firefox/accounts/)

~~~
Xylakant
All of this seems to be very alpha, but it's described as a standalone
password manager and as far as I skimmed the docs, the firefox account doesn't
necessarily seem to be a requirement. It might be something the extension
requires, though.

~~~
zeveb
Ah, good point — I was thinking of the issues with Firefox Sync.

------
KirinDave
So... Did this initiative appear because it came out that Firefox was using an
ancient and astoundingly insecure practice for its prior password storage
product?

Given Firefox was only 2 years ago so insecure it wasn't even a valid target
for most browser pwn competitions, and just in this year we find out important
code is still held over from those days, I'm not sure why anyone should trust
Firefox.

~~~
cpeterso
This is not a brand new project. The first Lockbox alpha release was back in
September 2017:

[https://github.com/mozilla-lockbox/lockbox-
extension/release...](https://github.com/mozilla-lockbox/lockbox-
extension/releases?after=0.1.1-alpha1)

------
toyg
Seems a bit late to get in the password-manager business, where you have
plenty of incumbents (1Password, LastPass, Bitwarden, KeePass...) offering a
plethora of features. The Mozilla audience likely overlaps most of the target
demographic for such products already, and persuading people to switch will be
very hard.

It could make sense if Mozilla were to develop a standard interface for all
password managers, so I could swap implementations under the hood without
having to deal with their (occasionally half-baked) extensions.

But I guess this is just a Big Rewrite of the venerable utility we've been
using since the dawn of Moz.

~~~
Xylakant
I'm in the market for this. There are few usable password managers that
reliably work on linux, windows, macos equally good. I'm currently moderately
happy with pass, but the colleagues I need to share passwords with are not
CLI-fans as I am. 1Password doesn't support linux except in the webbased
versions and I don't want that. Every time I need to touch Keepass I'd like to
burn it. Haven't tried Bitwarden yet.

I'd love an open-source password manager with a modern ui and local storage.

~~~
rmurri
Try enpass. Easy to use, good sync, cross platform (including linux).

[https://www.enpass.io/](https://www.enpass.io/)

~~~
namitutonka
Enpass looks wonderful. Lastpass used to export .csv, but now is only
exporting in .html. Enpass imports only the older Lastpass .csv format. I may
have to manually enter 280 websites, and 100 lines of secure notes. :( .... I
will if I have to.

~~~
namitutonka
This is my 3rd year of LastPass, with auto-renewal in July, $24/yr. after
$12/yr. for the last (LastPass) 2 years.be worth it Twice as much for
something that still works stellarly. Mmmm..., might still be worth it. In the
meantime I'd like to tryout Enpass as an alternative. If it works as well as
LP, I might as well save $15/yr. with Enpass being as I'll purchase an Android
Enpass app for $9.99/yr.

