
Firefox Lockbox – Take your passwords everywhere - sahin-boydas
https://lockbox.firefox.com/
======
notatoad
Am i missing something, or is this landing page really nothing more than a
screenshot and an app button? I know minimal pages are trendy, but that seems
like taking it a bit too far.

~~~
jolmg
There are small, gray links at the bottom to a FAQs page and a GitHub account
with the corresponding code.

~~~
cbhl
It's not at all clear that FAQ link is tied to Lockbox; I usually associate
small gray links at the bottom to be domain-wide boilerplate (privacy
policies, getting a phone number to call support, etc).

I would have expected visiting from desktop web to tell me what the desktop
counterpart to this mobile app is (probably either a call-to-action to install
Firefox to use with this companion app, or a call-to-action to create a
Firefox Sync account to store my passwords). I'm not going to type my hundreds
of passwords from scratch using my iPhone keyboard; I'm going to want to
import them from LastPass / Firefox / Chrome / Safari / Edge / 1Password /
Bitwarden.

------
bastawhiz
I think this is wonderful, but I have two concerns.

First, if there isn't a Chrome plugin, it's not going to be of much use to me.
I still use Chrome on my laptop (for a multitude of reasons) and if Lockbox
doesn't interoperate with it, it's not a useful tool.

Second, I worry about the longetivity of the project. Other than Firefox,
Mozilla is not known for their long-term support of consumer products.
Persona? Firefox OS? Thunderbird? I don't want to switch to a product that's
only going to be retired in a year.

~~~
saagarjha
Firefox makes a desktop browser, though. Why should they provide a Chrome
extension?

~~~
bastawhiz
Because I could just as easily use a competing product that _does_ work with
Chrome. An all-or-nothing mentality with (free consumer) software isn't a
great way to acquire new users. Switching my primary browser to use a password
manager that I like is a ridiculous decision.

~~~
fgonzag
This is a password manager for people who already have their passwords on
Firefox... so I don't really think you're the target market here.

It basically allows you to use your FF passwords in your local apps

------
chuckgreenman
I like this move into more consumer type applications from Mozilla. I'd be
interested to see some of their newer stuff moving to a subscription model
that supports Mozilla, I know you can make recurring donations but it seems
like people are more interested in buying a product that supports the
organization making it.

------
StevePerkins
Awfully buggy.

Just installed on Android. After syncing to my account it shows "no entries
found", even though I have hundreds of saved logins in my Mozilla account.

Tried disconnecting my account in order to re-add it again, and can't find a
way to do the latter. It just keeps showing the "Disconnect Firefox Lockbox"
button, even though it (presumably) is already disconnected.

Will check back in a couple of months to see if it's more fully-baked. But
right now this feels pretty pre-alpha.

~~~
firefox-lockbox
This is great feedback. We are currently working on improvements on this
specific finding. We'll continue to provide updates to make Firefox Lockbox a
better experience. Thanks for trying and testing the app.

~~~
ktm5j
Can I make the suggestion of implementing folders or categories of some kind?
That's a big feature that I care about that seems to be missing. And having
the ability to create/edit entries from the phone app would be great

Regardless of those issues I think the app looks great! Thanks for your
efforts

------
emerongi
It's nice to see clear information on the metrics collected:
[https://github.com/mozilla-lockbox/lockbox-
android/blob/mast...](https://github.com/mozilla-lockbox/lockbox-
android/blob/master/docs/metrics.md)

As long as it's clearly and openly communicated what telemetry is collected,
I'm fine with an app collecting whatever information they want: I get to make
the decision on whether I give up that information by (not) installing the
app.

~~~
saagarjha
Is it opt-in?

~~~
15characterslon
Seems to be opt-out, at least it was enabled for me by default on Android. :/

------
StavrosK
This is very nice, especially since I use Firefox as my second password
manager (I enabled "save passwords" because it's so handy). All it needs is
better management and the ability to store more data in the DB, and I'm sold!
OATH would be nice too.

------
ripdog
Does this have a value proposition over a standalone manager like Bitwarden?
Saying this as an avowed firefox user and fan.

I long ago abandoned browser password managers due to awful security practices
like storing passwords in plaintext in my browser profile. Bitwarden is full
of features and works everywhere, too.

~~~
zamalek
It's Mozilla, so they _should_ be more trustworthy with your data.

That being said, I agree with your critique. I am a 1Password customer and
enjoy the fact that there are two passwords for my account (rendering
keyloggers worthless).

------
philips
What is the state of the art for building privacy conscious backends for
applications like this? I really haven't seen a great platform that provides
well documented and reasonably designed general purpose APIs for handling both
encryption, sync, versioning, and conflict resolution.

Textile: [https://github.com/textileio/go-
textile](https://github.com/textileio/go-textile) Based on IPFS so seems like
your entire privacy rests in crypto

Bitwarden:
[https://github.com/bitwarden/server/blob/master/README.md](https://github.com/bitwarden/server/blob/master/README.md)
App works well but it doesn't seem like there is interest in making this
general purpose, maybe because of the software stack choice?

Standard files: [https://standardfile.org/](https://standardfile.org/)
Standard notes clobbers data if two devices make offline edits :(

~~~
mintplant
> What is the state of the art for building privacy conscious backends for
> applications like this?

This has actually become a core competency of Mozilla thanks to the
infrastructure laid out for Firefox, which I think will be leveraged in their
product strategy going forward.

~~~
philips
Do you know where the code and design docs are for the backends? The wiki has
so many out of date pointers.

------
philips
There is also a Notes app.
[https://blog.mozilla.org/blog/2018/07/10/introducing-
firefox...](https://blog.mozilla.org/blog/2018/07/10/introducing-firefoxs-
first-mobile-test-pilot-experiments-lockbox-and-notes/)

------
solarkraft
Neat, how does it compare to Bitwarden? Is it decoupled enough from the
browser itself?

------
wyxuan
I think it is great that Firefox is branching out of just browsers, and making
its own ecosystem of products. However, it doesn't seem that necessary. The
existing field is already pretty good imo.

~~~
nathan_long
I think password management is a good fit for Mozilla. I perceive Mozilla to
be trustworthy and competent, and the code for this is open source:
[https://github.com/mozilla-lockbox](https://github.com/mozilla-lockbox)

They also generally do a good job with UI, which is not true of all open
source solutions. This may not be crucial for devs, but it's crucial if we
want to share passwords with the non-devs in our lives.

------
newscracker
I’ve waited quite sometime for this to be released on Android so that it can
be recommended to others. This is great news!

But there are a few more features that are necessary to make this truly
standalone (these comments are based on the iOS version):

\- ability to create a Firefox sync account from this app.

\- ability to add entries in this app and manage them.

\- ability to import credentials from other applications (like 1Password,
BitWarden, Lastpass, etc.).

~~~
kamarg
Please let me import from another password manager! There's just too much
friction involved in switching if I have to manually import all my existing
passwords. And if I can't import them, then I have to keep my old password
manager around until I'm sure that I've imported all my old logins by visiting
all the sites in case the reset password email is linked to an address I no
longer have access to. If I have to do that, there's no point in me switching
because I'll never actually be sure I've got all the logins moved over.

------
azdle
If there's anyone here who is working on this: Is anyone working on making
this available through F-Droid?

------
pornel
Works well on iOS. Integrates as a system-wide auto-fill option, so it works
even in native apps.

Real Firefox is forbidden from being in the Apple AppStore, and only AppStore
apps are allowed to sync with the iCloud keychain, so this is the next best
alternative permissible in Apple's garden.

~~~
alimbada
Firefox is also in the App Store, albeit "real" is a subjective term here
since it's forced to use WebKit/WebView (as are all browsers on iOS) if that
is what you were alluding to.

------
SubiculumCode
The problem with firefox sync is that my search history and bookmarks are
synced...which is non optimal when jumping between work and home computers. I
use lastpass to sync my passwords..but would consider alternatives...lastpass
performance has degraded lately.

~~~
CtrlAltT5wpm
I'm in the same boat you are. I'm considering alternatives to Lastpass, mostly
because the client has gotten worse over the past few years (since they were
picked up by LogMeIn). I don't mind price hikes, but I don't feel as if I've
gotten a commensurate increase in the utility or smoothness of the application
(though I've certainly noticed an uptick in bugs).

My big thing is the integration of the Yubikey, which is almost mandatory.
Bitwarden has this, but their recent security assessment had a showstopper, as
far as I'm, concerned:

'BWN-01-010 – Changing the master password does not change encryption keys'

[https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assess...](https://cdn.bitwarden.net/misc/Bitwarden%20Security%20Assessment%20Report.pdf)

If Bitwarden gets that fixed, I'd jump ship instantly. Otherwise, I may play
with Firefox Lockbox and see where that gets me.

~~~
xxkylexx
> Resolution

> An option to rotate the encryption key and mac key has been added to the
> change password operation. Rotating the keys will generate new, random key
> values and re-encrypt all vault data with these new keys.

~~~
CtrlAltT5wpm
Thanks for that. Some of the news sites I had been reading had neglected to
mention this (and to be fair, I neglected to catch it) this, and I could swear
some had reported that Bitwarden had claimed that this was a difficult issue
to solve, and would likely not be implementing it in the near future.
Information overload, I guess.

------
ksynwa
I use Pass[0] with GnuPG and a private git repository for storing encrypted
passwords. There is an Android client for it on F-Droid. It is a bit of work
to bootstrap it but I like it a lot.

[0]: [https://www.passwordstore.org/](https://www.passwordstore.org/)

------
scotu
how does the sync/conflic resolution work? (I'm aware it's firefox long
standing "sync" product) are there some docs?

I've been burned by dropbox synced keepass password management before...

~~~
pornel
It uses the same account as Firefox's Sync, and the sync feature has been
reliable for me.

------
15characterslon
It would be nice if it would support custom sync servers. I'm using a custom
sync server with Firefox and therefore Lockbox does does not show any of my
passwords after login.

------
zymhan
I love having a better front end for my Firefox passwords.

------
antback
Feature request: It would be nice to allow adding entries by hand. There are
sites that avoid at all cost to let browsers to remember passwords.

------
AJRF
I'm on the Android Q beta and trying to open the sign in link LockBox send's
you causes Firefox to crash over and over it look's like.

~~~
Sebguer
A lot of things are broken in the Android Q beta, to be fair.

------
netforay
Wonderful, have been waiting for this for a long time. At one point I thought
of developing my self.

But 43mb for password sync app?? Is it not too much?

~~~
xnyan
Not an explanation or saying its right or wrong, just a comment - anything
under 100mb (on my personal computer or smartphone) to me is small enough as
to be statistically insignificant in my mental model. I saw 43mb and thought
it was kind of slim.

Born in '88 for context, the smallest primary storage device I can remember
using was a 20mb HDD on a hand-me-down 486 I got one birthday.

------
lousken
Any advantages compared to Keepass2Android?

------
OJFord
This is great, I use `about:logins` on Android FF when I need this; I'll
gladly use this instead.

------
amelius
Doesn't Firefox "Sync" (a standard feature) already solve this more or less?

~~~
callahad
Lockbox is effectively a client for Sync which is decoupled from Firefox
itself.

This means, for example, even if you browse with Chrome on Android, you can
still access and auto-fill all of the passwords you have saved in your desktop
Firefox.

------
giancarlostoro
So whats different from Firefox Sync which already just works for centuries
now?

~~~
Tomte
You don't need Firefox. It's a stand-alone app.

~~~
giancarlostoro
Apparently you still need a Firefox account though. I can appreciate it being
stand alone I guess. It is a little too late for me now that I have Bitwarden
though.

------
rmist
Requires Android 7.0 and up :(

