Hacker News new | past | comments | ask | show | jobs | submit login
Firefox Lockbox – Take your passwords everywhere (firefox.com)
189 points by sahin on March 26, 2019 | hide | past | favorite | 76 comments

Am i missing something, or is this landing page really nothing more than a screenshot and an app button? I know minimal pages are trendy, but that seems like taking it a bit too far.

https://blog.mozilla.org/blog/2019/03/26/firefox-lockbox-now... showed up on HN today, which may provide some context (or not).

There are small, gray links at the bottom to a FAQs page and a GitHub account with the corresponding code.

It's not at all clear that FAQ link is tied to Lockbox; I usually associate small gray links at the bottom to be domain-wide boilerplate (privacy policies, getting a phone number to call support, etc).

I would have expected visiting from desktop web to tell me what the desktop counterpart to this mobile app is (probably either a call-to-action to install Firefox to use with this companion app, or a call-to-action to create a Firefox Sync account to store my passwords). I'm not going to type my hundreds of passwords from scratch using my iPhone keyboard; I'm going to want to import them from LastPass / Firefox / Chrome / Safari / Edge / 1Password / Bitwarden.

I think this is wonderful, but I have two concerns.

First, if there isn't a Chrome plugin, it's not going to be of much use to me. I still use Chrome on my laptop (for a multitude of reasons) and if Lockbox doesn't interoperate with it, it's not a useful tool.

Second, I worry about the longetivity of the project. Other than Firefox, Mozilla is not known for their long-term support of consumer products. Persona? Firefox OS? Thunderbird? I don't want to switch to a product that's only going to be retired in a year.

Hi, Lockbox desktop dev here. Some thoughts:

> if there isn't a Chrome plugin, it's not going to be of much use to me

Working on it! We have to get the webextension working in Firefox first, then we'll branch out to other browsers. (Contributors welcome, btw: https://github.com/mozilla-lockbox/lockbox-addon)

> I still use Chrome on my laptop (for a multitude of reasons) and if Lockbox doesn't interoperate with it, it's not a useful tool.

Well, you can import Chrome passwords into Firefox pretty easily, and set up Firefox Sync, and then you've got all your (Chrome) desktop logins on mobile. Not ideal, but works.

> I don't want to switch to a product that's only going to be retired in a year

Sure, I definitely understand. I've personally worked on Persona, FxOS, Test Pilot, and Screenshots (and now Lockbox). IMO Mozilla has gotten steadily better at shipping new products, and once we get Lockbox integrated into desktop, it'll have really good chances of long-term survival.

Besides, any new startup might go away; at least with Mozilla products, you can be sure we aren't going to do anything sketchy with your data.

Finally, I'll point out that, if you try Lockbox, it'll give Mozilla's management good signals that they should keep investing in Lockbox :-)

Do you or someone else know if the Lockbox app will feature full password management (like add, delete, edit, generate strong random pw, folders etc) in the future or is it only meant to be a "password access" app?

Just seeing this now. Thanks for the response! Looking forward to the extensions.

Longevity shouldn't be too much of a concern: Lockbox is effectively a client for Firefox Sync, and Sync is a core Firefox product offering.

As for Chrome, since Lockbox is an explicit move to extend Firefox Sync's utility beyond just Firefox, I wouldn't at all be surprised to see a browser extension at some point in the future. However, I have no actual knowledge of the Lockbox team's roadmap. Just seems reasonable. :-)

Heck, all the APIs (and repos) are open, so someone sufficiently motivated could build that right now.

> Longevity shouldn't be too much of a concern: Lockbox is effectively a client for Firefox Sync, and Sync is a core Firefox product offering.

Yeah, but Google sunset a mail app last week so... You never know.

Now I wonder what does lockbox bring to the table because my passwords I already shared between mobile and desktop through sync ?

edit: https://news.ycombinator.com/item?id=19492386

Ah, I see. Google chrome gets access to it.

> what does lockbox bring to the table because my passwords I already shared between mobile and desktop through sync ?

Lockbox makes those passwords accessible outside of Firefox. It implements Android's autofill API, so you can, for example, use it to log into native apps on Android. You can also use it to access your passwords when you're using other browsers, which is especially important with the rise of in-app browsers.

> > Longevity shouldn't be too much of a concern: Lockbox is effectively a client for Firefox Sync, and Sync is a core Firefox product offering.

> Yeah, but Google sunset a mail app last week so... You never know.

Yeah, but the mail app Google sunset wasn't a core product offering, so... You never know.

Firefox makes a desktop browser, though. Why should they provide a Chrome extension?

Because I could just as easily use a competing product that does work with Chrome. An all-or-nothing mentality with (free consumer) software isn't a great way to acquire new users. Switching my primary browser to use a password manager that I like is a ridiculous decision.

This is a password manager for people who already have their passwords on Firefox... so I don't really think you're the target market here.

It basically allows you to use your FF passwords in your local apps

They make a mobile browser too so why make this app?

For iOS at least, you need an app to have first class password filling privileges. My understanding is android is becoming more restrictive about this and is locking down APIs such that you do or will need a native app for password filling on that too.

Turning the question around, Firefox also makes mobile browsers, so why should they have created Lockbox at all?

There are many reasons to want to use different browsers:

* Your spouse prefers a different browser

* Firefox doesn't work as well on MacOS as Windows/Linux

* You need to use multiple browsers for testing

* You currently use Firefox everywhere, but don't want to be locked into that decision.

The only reason I don't use Firefox Sync is because I don't want my password manager tied to single browser. I would have pounced on this in a heartbeat if a chrome plugin to Sync was available a year ago.

because many people use multiple browsers for variety of use cases.

same reason google provides their products for iOS environment, same reason there's a desktop outlook client for macOS, etc

It depends where all your website passwords are. If they’re in Chrome, this app is not for you. The idea behind Lockbox is to make it easier to access (on mobile platforms) the passwords associated with your Firefox account.

Isn't that what are you looking for https://github.com/mozilla-lockbox/lockbox-addon?

Don't forget "ability to add keyboard shortcuts and have them apply when your current tab is loading".

I like this move into more consumer type applications from Mozilla. I'd be interested to see some of their newer stuff moving to a subscription model that supports Mozilla, I know you can make recurring donations but it seems like people are more interested in buying a product that supports the organization making it.

Awfully buggy.

Just installed on Android. After syncing to my account it shows "no entries found", even though I have hundreds of saved logins in my Mozilla account.

Tried disconnecting my account in order to re-add it again, and can't find a way to do the latter. It just keeps showing the "Disconnect Firefox Lockbox" button, even though it (presumably) is already disconnected.

Will check back in a couple of months to see if it's more fully-baked. But right now this feels pretty pre-alpha.

This is great feedback. We are currently working on improvements on this specific finding. We'll continue to provide updates to make Firefox Lockbox a better experience. Thanks for trying and testing the app.

Can I make the suggestion of implementing folders or categories of some kind? That's a big feature that I care about that seems to be missing. And having the ability to create/edit entries from the phone app would be great

Regardless of those issues I think the app looks great! Thanks for your efforts

It's nice to see clear information on the metrics collected: https://github.com/mozilla-lockbox/lockbox-android/blob/mast...

As long as it's clearly and openly communicated what telemetry is collected, I'm fine with an app collecting whatever information they want: I get to make the decision on whether I give up that information by (not) installing the app.

Is it opt-in?

Seems to be opt-out, at least it was enabled for me by default on Android. :/

There's an option to opt in, at least on the Android app in the settings.

This is very nice, especially since I use Firefox as my second password manager (I enabled "save passwords" because it's so handy). All it needs is better management and the ability to store more data in the DB, and I'm sold! OATH would be nice too.

Does this have a value proposition over a standalone manager like Bitwarden? Saying this as an avowed firefox user and fan.

I long ago abandoned browser password managers due to awful security practices like storing passwords in plaintext in my browser profile. Bitwarden is full of features and works everywhere, too.

It's Mozilla, so they should be more trustworthy with your data.

That being said, I agree with your critique. I am a 1Password customer and enjoy the fact that there are two passwords for my account (rendering keyloggers worthless).

What is the state of the art for building privacy conscious backends for applications like this? I really haven't seen a great platform that provides well documented and reasonably designed general purpose APIs for handling both encryption, sync, versioning, and conflict resolution.

Textile: https://github.com/textileio/go-textile Based on IPFS so seems like your entire privacy rests in crypto

Bitwarden: https://github.com/bitwarden/server/blob/master/README.md App works well but it doesn't seem like there is interest in making this general purpose, maybe because of the software stack choice?

Standard files: https://standardfile.org/ Standard notes clobbers data if two devices make offline edits :(

There are several alternate implementations for the bitwarden server. Unless my plans change, eventually I plan on deploying this one: https://github.com/dani-garcia/bitwarden_rs

> What is the state of the art for building privacy conscious backends for applications like this?

This has actually become a core competency of Mozilla thanks to the infrastructure laid out for Firefox, which I think will be leveraged in their product strategy going forward.

Do you know where the code and design docs are for the backends? The wiki has so many out of date pointers.

Neat, how does it compare to Bitwarden? Is it decoupled enough from the browser itself?

I think it is great that Firefox is branching out of just browsers, and making its own ecosystem of products. However, it doesn't seem that necessary. The existing field is already pretty good imo.

I think password management is a good fit for Mozilla. I perceive Mozilla to be trustworthy and competent, and the code for this is open source: https://github.com/mozilla-lockbox

They also generally do a good job with UI, which is not true of all open source solutions. This may not be crucial for devs, but it's crucial if we want to share passwords with the non-devs in our lives.

The main ones I know of are all closed source. Some may not quite be (bitkeeper?) but as far as user controlled pw management goes I think the market is far from saturated

I’ve waited quite sometime for this to be released on Android so that it can be recommended to others. This is great news!

But there are a few more features that are necessary to make this truly standalone (these comments are based on the iOS version):

- ability to create a Firefox sync account from this app.

- ability to add entries in this app and manage them.

- ability to import credentials from other applications (like 1Password, BitWarden, Lastpass, etc.).

Please let me import from another password manager! There's just too much friction involved in switching if I have to manually import all my existing passwords. And if I can't import them, then I have to keep my old password manager around until I'm sure that I've imported all my old logins by visiting all the sites in case the reset password email is linked to an address I no longer have access to. If I have to do that, there's no point in me switching because I'll never actually be sure I've got all the logins moved over.

If there's anyone here who is working on this: Is anyone working on making this available through F-Droid?

Works well on iOS. Integrates as a system-wide auto-fill option, so it works even in native apps.

Real Firefox is forbidden from being in the Apple AppStore, and only AppStore apps are allowed to sync with the iCloud keychain, so this is the next best alternative permissible in Apple's garden.

Firefox is also in the App Store, albeit "real" is a subjective term here since it's forced to use WebKit/WebView (as are all browsers on iOS) if that is what you were alluding to.

The problem with firefox sync is that my search history and bookmarks are synced...which is non optimal when jumping between work and home computers. I use lastpass to sync my passwords..but would consider alternatives...lastpass performance has degraded lately.

This is increasingly my problem with everything that offers syncing.

I left Chrome after Chrome 69's sign-in changes; however innocuous the intent, it unexpectedly left me with bookmarks syncing between work and home machines. Which was privacy-undermining, certainly, but more pressingly made finding anything a tremendous hassle.

Keeping multiple password suites segregated has become increasingly irritating also, particularly when I want access to both suites on one phone. The easiest answer so far has been to use different password management services for different sets, which is an absolutely silly way to choose a tool.

At this point, I'd take any trustworthy browser and password manager with strong tools for controlling where different pieces of information are synced.

I'm in the same boat you are. I'm considering alternatives to Lastpass, mostly because the client has gotten worse over the past few years (since they were picked up by LogMeIn). I don't mind price hikes, but I don't feel as if I've gotten a commensurate increase in the utility or smoothness of the application (though I've certainly noticed an uptick in bugs).

My big thing is the integration of the Yubikey, which is almost mandatory. Bitwarden has this, but their recent security assessment had a showstopper, as far as I'm, concerned:

'BWN-01-010 – Changing the master password does not change encryption keys'


If Bitwarden gets that fixed, I'd jump ship instantly. Otherwise, I may play with Firefox Lockbox and see where that gets me.

> Resolution

> An option to rotate the encryption key and mac key has been added to the change password operation. Rotating the keys will generate new, random key values and re-encrypt all vault data with these new keys.

Thanks for that. Some of the news sites I had been reading had neglected to mention this (and to be fair, I neglected to catch it) this, and I could swear some had reported that Bitwarden had claimed that this was a difficult issue to solve, and would likely not be implementing it in the near future. Information overload, I guess.

You can choose what to sync.

Thanks! It lists logins as an option. Does this sync sessions of just credentials?

I use Pass[0] with GnuPG and a private git repository for storing encrypted passwords. There is an Android client for it on F-Droid. It is a bit of work to bootstrap it but I like it a lot.

[0]: https://www.passwordstore.org/

how does the sync/conflic resolution work? (I'm aware it's firefox long standing "sync" product) are there some docs?

I've been burned by dropbox synced keepass password management before...

It uses the same account as Firefox's Sync, and the sync feature has been reliable for me.

It would be nice if it would support custom sync servers. I'm using a custom sync server with Firefox and therefore Lockbox does does not show any of my passwords after login.

I love having a better front end for my Firefox passwords.

Feature request: It would be nice to allow adding entries by hand. There are sites that avoid at all cost to let browsers to remember passwords.

I'm on the Android Q beta and trying to open the sign in link LockBox send's you causes Firefox to crash over and over it look's like.

A lot of things are broken in the Android Q beta, to be fair.

Wonderful, have been waiting for this for a long time. At one point I thought of developing my self.

But 43mb for password sync app?? Is it not too much?

Not an explanation or saying its right or wrong, just a comment - anything under 100mb (on my personal computer or smartphone) to me is small enough as to be statistically insignificant in my mental model. I saw 43mb and thought it was kind of slim.

Born in '88 for context, the smallest primary storage device I can remember using was a 20mb HDD on a hand-me-down 486 I got one birthday.

Any advantages compared to Keepass2Android?

This is great, I use `about:logins` on Android FF when I need this; I'll gladly use this instead.

Doesn't Firefox "Sync" (a standard feature) already solve this more or less?

Lockbox is effectively a client for Sync which is decoupled from Firefox itself.

This means, for example, even if you browse with Chrome on Android, you can still access and auto-fill all of the passwords you have saved in your desktop Firefox.

So whats different from Firefox Sync which already just works for centuries now?

You don't need Firefox. It's a stand-alone app.

Apparently you still need a Firefox account though. I can appreciate it being stand alone I guess. It is a little too late for me now that I have Bitwarden though.

Requires Android 7.0 and up :(

Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact