Should I use a "proper" password manager instead of Firefox?

Submitted ⁨⁨1⁩ ⁨day⁩ ago⁩ by ⁨_j_@lemmy.wtf⁩ to ⁨[deleted]⁩

I store all of my passwords in firefox’s built-in password manager. They auto-fill into websites, sync to my phone, notify me if one appears publicly, and I can generate strong new passwords conveniently. The pw vault is stored encrypted in the cloud as far as I know, but I don’t really know the technical details. I presume that it’s just as secure as using a “proper” manager.

Is there a problem with not using a dedicated password manager? I used to use LastPass but then… I stopped. And at the time I didn’t see anything wrong with just sticking with FF.

Using Firefox is fine right? If so, what’s the benefit of something like BitWarden/etc over the built-in one?

source

Comments

Sort:hotnew top

Quacksalber@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
Your browser constantly runs 3rd party code and through its sheer complexity has a big attack surface. Password stealers regularly use flaws or social engineering to steal browser passwords. It is simply safer to use an application whose only function it is to store passwords securely.

source
- paranoid@lemmy.world ⁨1⁩ ⁨day⁩ ago
  This is the way. I use 1Password and love it.
  
  source
- Dave@lemmy.nz ⁨1⁩ ⁨day⁩ ago
  Does this extend to also not using browser extensions for password managers?
  
  source
  - Quacksalber@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
    Depends on the extension. If it auto-fills without interaction, it can be tricked into auto-filling credentials. Extensions like the one for KeePassXC only auto-fill after you clicked on the auto-fill icon.
    
    source
    -> View More Comments
  - renormalizer@feddit.org ⁨1⁩ ⁨day⁩ ago
    At least you’re limiting exposure with managers like KeePassXC. The manager runs in a separate process and communicates with the extension via a local connection. You have to approve every password given out by the manager. So a malicious actor can’t just ask for every password under the sun. They could still read the contents of the password field once the extension has filled it if they manage to circumvent the restrictions set by the browser. But that’s no different from when you enter the password manually.
    
    source
    -> View More Comments
uuj8za@piefed.social ⁨1⁩ ⁨day⁩ ago
One of the huge benefits of using a third party manager is that your data is more portable! If you wanna use Firefox today, cool. But what if you want to use Safari tomorrow? Or Chrome later? Don’t self vendor lock yourself. I see those built-in OS/browser password managers as traps to prevent you from leaving.

source
- sem@piefed.blahaj.zone ⁨1⁩ ⁨day⁩ ago
  They can export passwords
  
  source
  - uuj8za@piefed.social ⁨1⁩ ⁨day⁩ ago
    
    Exporting and importing passwords is a time-consuming, annoying process
    
    There’s no guarantee your exported data will be entirely (or partially) compatible with the destination app
    
    My migration from 1Password to Bitwarden was both of those things.
    
    Vendor lock in doesn’t mean it’s impossible to move. It means there’s a huge burden to move.
    
    source
ImgurRefugee114@reddthat.com ⁨1⁩ ⁨day⁩ ago
They’ve gotten a lot better. In the past, decrypting browser passwords was basically trivial. It still is by default: make sure you set a master password at a minimum. The consensus is that they’re as secure as a proper password manager, but almost everyone agrees that it’s better than nothing / not using one.

They’re still relatively low hanging fruit for infostealer malwares and are compromised at significantly higher rates than other managers. Local access is also a problem in most cases. Autofill features have been exploited a lot too, though that can also effect password manager plugins (less so when they require manual interaction). Not using plugins for other managers may also pose a risk, like by moving credentials in the world-readable clipboard instead of a secure link that a plugin would use.

You should probably use a standalone manager but it’s not the end of the world. Just do some simple best-practices: maybe omit your primary auth email and bank creds, use 2fa/opt (don’t store with your passwords) and keep recovery credentials safe and separate.

When it cones to security, you can be endlessly paranoid… Personally I have separate keepass vaults to limit damage by compartmentalized; they autolock after a short time and I keep OTP and recovery credentials in parallel vaults with different passwords never opened on the same machine. I’ve had my devices compromised many times in the past but besides temporarily losing access to an autologin minecraft account and a shared Netflix password, I’ve never lost my vaults or had anything in them compromised so I must be doing something right. The same couldn’t be said when I used a browser password manager 20+ years ago and got a family creditcard stolen by downloading a runescape dragon scimitar cursor…

People who use things like qubes OS can benefit by keeping their managers in separate isolated environments from their applications and passing cress between them. Some people also use dedicated & airgapped devices for credential management.

source
sbeak@sopuli.xyz ⁨1⁩ ⁨day⁩ ago
It’s better to use a separate password manager, since it’s an additional layer of security, as you must type in a master password or, if you configure it, use a hardware key/biometrics. Also, as others have said, you can use them in non-website logins too, so it’s more flexible!

Personally, I think Bitwarden is a pretty good option for most people. It’s cross-platform, and I think there is an option to self-host the server if you wish.

Another option, the one I use, is KeePass (XC on desktop, DX on Android, KeePassium on iOS), which stores passwords in a local database file, and you can use Syncthing to sync the contents of the database!

source
slazer2au@lemmy.world ⁨1⁩ ⁨day⁩ ago
Always better.

Malware/info stealers are far more likely to target browser profiles then the many password manager options.

source
cerebralhawks@lemmy.dbzer0.com ⁨1⁩ ⁨day⁩ ago
LastPass is shit now.

Firefox is fine if it’s all you use. I use the Apple Passwords app, because I have all Apple stuff (Macs and an iPhone). It works very well.

You can also use BitWarden. That’s free, it’s open source, and it’s highly regarded. It works whether you use iPhone or Android; whether your computer runs macOS, Linux, or Windows.

You don’t need to pay for a password manager. Anyone who says you do has a vested interest in you spending money (it typically directly relates to them making money), and if they can’t respect you enough to be transparent about it, they don’t deserve your money.

source
HubertManne@piefed.social ⁨1⁩ ⁨day⁩ ago
I know the brower managers were trump at one point. Not encrypted and such. bad practices. It might have gotten better but I never got used to using them.

source
BladeFederation@piefed.social ⁨1⁩ ⁨day⁩ ago
Yes. Running it in browser is far better than not using one at all. But third party is significantly safer, since your browser is trusted with a LOT already.

source
CallMeAl@piefed.zip ⁨1⁩ ⁨day⁩ ago
Its a benefit to use something external when a new browser comes out that you want to use instead of FF or if you need some passwords on a device that has no FF. Loosely coupled solutions generally have more flexibility.

source
krigo666@lemmy.world ⁨1⁩ ⁨day⁩ ago
You can try KeePassXC and there’s an extension for Firefox that allows you to fill in the password fields, it matches the site with the URL in the KeePassXC entry.

source
- _j_@lemmy.wtf ⁨1⁩ ⁨day⁩ ago
  well yes, as I said I’ve used browser extensions for dedicated managers before and I’m aware of KeePass. But my question is more about whether that’s better somehow than firefox. i.e. more secure/convenient/etc. I ask because in my armchair experience the built-in one is completely fine and idk what the advantage of a dedicated manager is over the built-in one.
  
  source
  - The_v@lemmy.world ⁨1⁩ ⁨day⁩ ago
    The question is two-fold. How secure do you want the password to be determines what system to use.
    
    For example:
    
    Banking - I never store a password or username for these. It’s always one I can remember. The password is lengthy, multi-factor authentification is turned on etc… I don’t trust any system.
    
    Finanial webpages other than banks, , taxes, healthcare, etc, stuff that would hurt me personally if stolen, I use a stand alone password manager.
    
    Anything else goes into Firefox password manager. Stuff I don’t give a fuck about if somebody hacks my password.
    
    source
ExLisper@lemmy.curiana.net ⁨1⁩ ⁨day⁩ ago
Firefox is fine. Benefit of Bitwarden is that you can use the app to also store and fill in password in Android apps.

source
yesman@lemmy.world ⁨1⁩ ⁨day⁩ ago
Browser integration with password managers is overrated. It’s a lot of trouble, breaks all the time, and has security issues. Plus you’re trusting your logins to a third party which makes me sad.

I use a vanilla encrypted DB (KeePass) and just save the logins manually and copy/paste to log in. It’s not that hard.

source
sem@piefed.blahaj.zone ⁨1⁩ ⁨day⁩ ago
I stopped using ff’s password manager because they stopped developing it while the other companies kept adding features.

The main feature for me that it was missing was more fillable fields for each entry.

source
Lost_My_Mind@lemmy.world ⁨1⁩ ⁨day⁩ ago
No no no! You’ve got it all wrong!

See, what you do is use the same password for EVERYTHING! And make it super easy to remember. Even easy to guess in case you forget. Something like “Password1!”. It has all the things! A capitol letter, A number. Even a symbol. So all those pesky sites will be like “You must use a capitol letter, a number, a symbol, and at least 8 characters”. Well then you’ll be like “shut your fucking piehole, I already have that!”

Plus, Password is so easy to guess, nobody would guess you’d be that stupid to use it as your password! It’s the perfect password!

source
Nighed@feddit.uk ⁨1⁩ ⁨day⁩ ago
It’s good for some stuff - it means you get strong unique passwords for sites etc.

BUT

The fact it auto completes basically means that if someone gets access to your phone/computer while it’s logged in, they can log into anything. (A password is normally required to actually VIEW them? - maybe not on desktop!)

I use the built in manager for most days to day stuff, but anything financial or non browser based is stored in keepass. It’s a bit annoying, but way more secure that way.

source
litchralee@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
(short on time, so here’s an overview to answer part of the question)

All password managers that are worth their salt (cryptography pun intended) have to anchor their trust to something, be it the OS’s secret-storing APIs or a piece of hardware like a TPM (typically built into your machine’s motherboard), an HSM (eg Yubikey) device, or an external source of authentication outright (eg a smart card, akin to what the USA Military does). Without any sort of trust anchor, a password manager is little else than a random program that happens to invoke a few cryptographic algorithms. It would be almost trivial for a malicious actor to use a bog-standard debugger like GDB to read the program’s memory and steal the secrets, either after it has been conveniently decrypted by the program or by spying on the program while it performs the cryptographic algorithms.

Since a password manager runs within an OS, meaning that you already have to trust that your OS isn’t an NSA backdoor, it makes sense to rely on the OS for storage of secrets. What the password manager does is provide the frontend for adding/updating secrets from the OS’s store, while also making sure to authenticate the user prior to allowing access to the store of secrets. Once again, this is where hardware modules can come into play, but it can also be done using a main password. That is, you need to unlock the password manager before the secrets it contains are available for use.

Rather conveniently, the OS can also provide this authentication functionality: if you have already successfully logged into the computer, then that’s a form of authentication. The most basic-but-reasonably-secure password manager would use two APIs to offload the difficulty tasks to the OS: the authentication API and the secrets API. That’s the absolute bare minimum.

What Firefox’s password manager provides, by default, is exactly that. But you can choose to upgrade to a Firefox-specific main password, so that if you forget to lock the computer, someone can’t just open Firefox and use your secrets. This is one step above the minimum for a reasonably secure password manager, but it comes with the inconvenience of having to unlock the password manager every time you want to use a secret.

By and large, all password managers make these types of tradeoffs between convenience and additional layers of protection against certain threats. If your machine is inside the vault of Fort Knox and is actively guarded by people with machine guns and a keycard bullet proof door, then Firefox password manager is plenty acceptable.

Whereas a shared home computer in a situation where the disclosure of the secrets would cause a grave problem – eg if an irate person finds that their spouse has a login for the local family court’s online website, which might suggest a forthcoming divorce proceeding – this might make sense to add additional layers. Indeed, some password managers can provide a decoy set of secrets, as a way of forming plausible deniability. If your situation needs plausible deniability, then Firefox’s built-in password manager might not fit the bill.

I want to stress that using any password manager at all is already a massive improvement in security posture, and that any additional features and frills are merely refinements. Some folks are in situations where they cannot accept the possibility of off-device secrets synchronization, which would rule out Firefox password manager. But if you don’t have such requirements, and if you can trust your OS, then you can also trust Firefox to store and manage secrets.

source