November 20, 2021
Mozilla announced last week that it would end support for its Firefox Lockwise password manager app on December 13, 2021. It means users will no longer be able to install or reinstall Firefox Lockwise from the App Store or Google Play Store. Although the users who have installed the app can continue to use it on devices, it's better not to do so because it will no longer receive any security updates.
Now, Firefox Lockwise users face two choices. Either use the built-in password manager of the Firefox browser or find another independent password manager.
If reducing data migration cost is the most crucial point for you, the former choice is the best.
However, the Firefox browser's built-in password manager also has some cons.
- Cannot autofill passwords on other apps on iOS yet.
Android users can access the password autofill functionality offered by the Firefox browser instead. If you use iPhone, you have to wait for Firefox to roll out that feature. Before that, you may still need to use copy and paste, which may leak your password because any app can read the pasteboard.
- Have to use Firefox to access your passwords.
It would be really inconvenient if you still use Chrome or other browsers. Because supporting Autofill on Chrome needs accessibility services on Android or a browser extension on desktop.
- Not safe enough to use browsers to store data.
The security of browser password managers relies on the browsers, which are hackers' favorite targets. Check this out Opera sync servers hacked, usernames and passwords at risk
In July this year, in the post You should turn off autofill in your password manager, Marek Tóth mentioned that Firefox browser password manager fills in passwords without requiring user action, and hackers can use XSS vulnerabilities to steal passwords.
Other independent password managers may be more secure and feature-rich than the Firefox browser password manager. Here are a few tips for choosing alternatives to Firefox Lockwise users.
- Excellent data encryption.
At least to use second-generation password managers, which mainly rely on the master password to encrypt data. Generally speaking, as long as the master password is long, complex, and not disclosed, password managers can protect your data well. Check this out 👉 The Evolution of Password Manager (2/4)
In addition to data encryption methods, each password manager has other security designs to enhance data protection capabilities, such as no Internet access, enabling 2FA, etc.
- Well secured autofill.
There is no denying that autofill is fantastic. However, it exposes an attack surface at the same time. Hackers might be able to loot passwords by abusing autofill. A research paper Revisiting Security Vulnerabilities in Commercial Password Managers said that none of those password managers could defend against all the attacks as follows.
- Additional security information.
Besides passwords, other information related to account security, such as one-time passwords, recovery codes, answers to security questions, rescue email addresses, etc., are also really important to save. After all, for high-value accounts, only depending on password protection may not be enough. Check this out Your Pa$$word doesn't matter
- Easy to migrate data from Firefox Lockwise.
Last but not least, if a password manager does not support the data format exported from Firefox Lockwise, you'd better give it up. Unless you have the patience to enter passwords one by one🤦.