I've been using it since it was introduced. I no longer think about my passwords. Everytime I register in a new website, I just right-click -> generate secure password, it auto-fills and saves it. One password for every website. Yes, they are stored remotely with Firefox Sync.
Can you use it as a password manager for things that are not websites as well? And is there a way to associate additional data together with the passwords, such as answers to security questions?
Those were the two main things that made me use a separate password manager app in the first place.
No to both of these. There are only three fields, and they must all be filled in: URL, username, password. But suppose your bank is HSBC, you could, make up something like "securityquestion://www.hsbc.com", "mom's name", "Jane Doe".
Sadly it doesn't really support customizing the generation. There have been plenty of sites I've found where the auto-generated password doesn't match requirements of the service.
Its just the browser's normal 'save password' thing, but now with great UI for managing saved logins.
E2E encrypted with your Mozilla account password. If you forget your password and lose/reset every device that you have firefox installed on, you will lose the database. The firefox lockwise app is a login db replicator/ui for devices you don't want a full FF install on.
I've been using it for years since, again, its just the normal save password function that's existed for decades. Completely frictionless experience. The UI, accessible through the menu or about:logins, has options now to manually add/edit/copy logins. And it suggests auto generated random passwords when creating new accounts.
It also pairs with an app called Lockwise now! It means you can generate passwords and even auto-fill them in other native mobile apps these days. At least I can fairly easily on Android. Found it much easier for my luddite to be comfortable adopting over things like LastPass/OnePass.
There can be some weird situations that you need to be careful of. For example, if you jump on your partners PC, log them out of their Firefox account and log into yours, all of their passwords / history etc gets merged into your account. You need to learn about Firefox profiles to get around this.
Also, the old Firefox had a way of clearing all saved passwords from the Options menu. This is now gone, you can only delete a single password at a time. You need to enter the following URL into the Firefox browser, which will let you clear all your passwords: chrome://pippki/content/resetpassword.xhtml
I personally use KeePass, but I like having the passwords saved in Firefox so that they are accessible on all my devices.
I'm using it, it seems to work fine, and works/syncs on mobile as well (mobile Firefox that is, not for other apps AFAIK), and on my work computer's Firefox instance. I seem to recall attempting to change my Firefox sync password once and it notified my that I would need to export and re-import the passwords (IIRC), which I took to mean they are careful to never get full access to them unencrypted on their side. While less convenient, I like how that's set up if it's how I think it is.
For every device I have logged in with Firefox sync it just works as you would expect.
Maybe it sounds silly but make sure you have access to the email associated with your Mozilla account. I learnt the hard way after reinstalling Windows that Mozilla sends a confirmation email to this address when you set up Sync on a new system. It turned out that I had no access to this email anymore since the provider went out of business. I was told it's impossible to access my sync data. Thankfully I did not use it to store any passwords (I use KeePass for that) because otherwise it would have been a catastrophe.
I use keepass as well and there is a similar conundrum. If you store a backup of the keepass file on a remote server, make sure the passwords to access this remote server aren't only in the local machine keepass.
Wait but, you had no backups? I don't mean email access or sync access, but simply a backup of your system with your photos, documents, application data (including firefox' password database), none of that?
> Anybody using Firefox password manager that can comment on it? Is it considered safe enough?
Have been for >10 years now. It feels kinda icky because of how close the passwords are to every website I visit, but the convenience of having passwords auto-fill enables me to auto-delete cookies of most sites (reduced tracking without compromising on convenience) and not hesitate to use a strong password. I've heard of way more bugs in third party auto-fillers than in Firefox' own, but that notion is of course not scientific proof.
I do think that if you want real security, you need to have the passwords on a separate device (for example on a phone) since malware has been known to keylog and steal password databases. Keylogging is not really possible on a phone unless you grant the offending app some very odd permissions. Whether a separate device is worth the hassle for you depends on how big you judge the risk for the accounts you'd store in there. Not using autofill or browser integration also helps in case there is some security issue in that, but I'm not sure how much that really helps (most browser bugs are aimed at running code on the host anyway) and how much it's just a nuisance.
No: Mozilla have access to your passwords if you use the Sync feature.
They encrypt your passwords with a key encrypted by a key generated from your Firefox Account password, and you enter that password on a web page they serve from servers they control. At any point they can start or stop serving malicious JavaScript to one, many or all users logging in, and steal your master password, then use that to decrypt your stored passwords.
Yes, they could also target users in Firefox itself, but that would leave traces in the Firefox binaries, and users should not automatically install Firefox updates the way they 'install' JavaScript on every page load.
If you do not use the Sync feature I believe that the password manager is okay enough.
I have a huge problem with how Firefox handles asking for a master password (if you want your password to be encrypted on disk).
Sometimes a small pop-up windows opens and ask you to fill your password. No other indication of which tab, which site, of even which Firefox profile opened it. It is not always the active tab. Also after unlocking it remains unlocked indefinitely.
Lockwise itself works nicely, it is just a reskinned version of the usual password manager.
Before you commit, you might want to know that there is no export feature.
It's really nice. Better than any other browser password manager. I've resisted using the browser's until now (I have 1Password) but the sync feature is slick for iOS.
Two things prevent me from switching away from 1Password: 2FA token support and shared credentials between multiple users (a shared family vault in 1Password). I could probably deal without the latter, but I definitely don't want to give up my auto-fillable 2FA codes.
The only thing holding me back is iOS support for changing the default browser. Here's to hoping the rumors about iOS 14 are true, and I'll be able to switch everywhere.
That shouldn't be a blocker for password managers. I use BitWarden, and it can auto-fill passwords in iOS Safari. So presumably there is nothing stopping Firefox from also sharing its password manager across whatever browser you use.
I just love this browser more and more