[fardo]

To be fair, Firefox is also FOSS, contains an integrated password manager with extraordinarily well-integrated browser compatibility, and by opting to use a master password to encrypt or decrypt the store also gives you control over securitization, storage location, and generation.

Not to say that KeePassXC isn’t useful if you want even more fine-grained controls, but it seems like in the

> Use password in browser

Use case, KeePass would actually weaken the security guarantee by adding a second component you need to trust.

[mcpackieh]

My problem with Firefox's password manager is there doesn't seem to be a way to export/import to/from an encrypted file that I can back up to other places. I can export to an unencrypted text file (and no apparent way to import again), or I can use their sync service (or run my own maybe?), or I can backup the entire firefox profile.

This is what Firefox says when I go to export my logins: "[!] Your paswords will be saved as readable text (e.g., BadP@ssw0rd) so anyone who can open the exported file can view them."

KeePassXC on the other hand gives me a simple encrypted database file that I can copy around to different places for some peace of mind.

[babel_]

> "[!] Your paswords will be saved as readable text (e.g., BadP@ssw0rd) so anyone who can open the exported file can view them."

That's effectively what almost all of them say when you export your logins (usually as CSV, JSON, or XML), because they export in plain text, because you don't know what the user needs it for, up to and including manual imputation (better than expect a random user to have to learn how to print out a database, or worse submit that database file to some online service to print out).

Users aren't necessarily highly computer literate, we don't want to prevent people from having security, but even if they were they may still have use cases that do not accept such a database (migrating password manager that don't know your previous one, perhaps), so most of them use (unencrypted) plain text and just accept they'll have to leave it in the user's hands, and warn them it's exposed.

We'd absolutely love there to be safe, portable ways to move our data around such that it remains encrypted while migrating, yes, but that's just not something our current crop of software really enables fully these days, unfortunately.

[Faark]

> adding a second component you need to trust

I'd even say "adding a second vendor you need to trust". Yes, these days there seems to be a strong drive to just get a big package out of a single hand. Like having the browser closely tied to the OS. I don't like it. I prefer to choose the individual parts as i see fit. Keepass and some bit of custom sync, in this case. Now, in the same vein I expect MS & Google making it easy to support different browsers, I'd want Mozilla making it easy to integrate other password managers. I'd love to be corrected, but afaik the "password manager with extraordinarily well-integrated browser compatibility" doesn't offer any way or API to connect my keepass with it. Its only for Mozilla's own stuff. Not the open, user controlled system i'd love Firefox to be.

The Firefox Android Addon system is even worse... only a very short list of pre-approved extensions are available. With the escape hatch for devs requiring some stupid online-account. Sorry, but how is that different from an App store without side-loading?

Still recommend using Firefox, since it is the best we have. But yeah, i don't like the less and less open direction apparently chosen by Mozilla. And wonder if not being a good role model will hurt them down the line...

[midoridensha]

>The Firefox Android Addon system is even worse... only a very short list of pre-approved extensions are available.

You need to install Firefox Nightly.