Firefox Lockwise or how the integrated password-manager is called, it pretty good.
The syncing is centralized, but encrypted, so no problem here. I prefer Syncthing and Keepass, but while KeepassDX works perfectly on Android, KeepassXC doesnt work at all at the moment, so I use it.
While there is an option (which should be opt-out, not opt-in!) to encrypt the passwords locally using master passwords on Desktop, there just isn't one on Mobile! This is horrible, as anyone having access to your phone could also read your passwords.
Also, phones have fingerprint sensors very often. KeepassDX has a pretty good implementation for "modern unlocking", where the fingerprint unlocks the password and decrypts the vault.
This absolutely has to be integrated into Mobile, along with a general Fingerprint-unlock. I mean, its a privacy browser, and there are different factors of privacy. People having access to your browsing history and passwords, is one of the threats some people fear.
Thank you for this browser, its the only good non-Chromium one we have.
Thank you for feedback and idea.
Firefox use lock screen password on Android device. After you set a lock screen password, try to access your passwords again.
I know Firefox devs have said they don't pretend to bring back master password to mobile, they have said it multiple times actually, but I still don't get their reasoning.
According to them, lock screen is more than enough, but that doesn't consider the very common use case where multiple people at a given home can know how to unlock a device. I may want to share my cellphone or tablet with my daughter so she can play a video game, but still be sure she won't mess with critical accounts from work. Like, I want her to play Stumble Guys whenever she wants without having to worry she may take down our web server just because I got distracted for a second. Most of my apps are quite harmless and I'm not afraid she mess with them, with the exception of something as powerful like a web browser. It's almost as critical as giving her open root access to a terminal.
Again, I get that having a master password in mobile doesn't make it more "secure" in the sense that it stays as hackable as without one, it doesn't really encrypt things, but still it would help as a deterrent for some unpleasant situations. And again, I don't get the reasoning specially because the same logic may be applied to computers: you can encrypt your partition and set a screen lock in most if not all operative systems, why is it different in mobile?
Mobile versions of Firefox should use a primary password
On mobile versions of Firefox, passwords are protected by your phone's own encryption instead of a primary password. On Android (which is what I use), this just means you have to re-enter the same passcode or PIN you use to unlock your phone (usually 4-6 numbers or a few words), and then you can see and copy any and all of the passwords you have saved in Firefox. This is much less secure than having a primary password, especially considering that if someone's snooping in your passwords like this, they either already know your phone's passcode or they're a hacker accessing your phone's files remotely, in which case they can brute force your passcode extremely easily.
I don't know how iOS encrypts your saved passwords, but I'm sure both versions could benefit from just having a primary password like the desktop version.
(Note: a similar idea has been merged into this thread)
It just makes sense to have a second layer of passwords to something as critical as, well, your passwords. I'm not worried about encryption, I'm worried about someone seeing me input my iOS passcode into my phone, and then being able to access my passwords because this feature doesn't exist.
My banking app, for example, doesn't allow a fall back of the iPhone passcode, if your Face ID doesn't work you have to enter the actual password to your account.
Dedicated password mangers also have something similar to this, where you can have a different passcode just for the app.
@EkolFor your use case a seperate Android account will be best. you can create one in the settings.
But you could encrypt the passwords locally? Look at what KeepassDX does, encrypted, opened (in RAM or in App storage idk) with a password, thats it.
@Detroit_yeetThe phones password or pin is protected like using fail2ban. You cant just brute-force all few thousand combinations to get the 5-digit pin right, it will be blocked after like 10 tries or so. Still using that password makes your phone very single-user-like
@KelleckYes KeepassDX is a good open-source example for this. It allows Fingerprint, Device password and custom password. In every case this login data creates a keyfile that then actually unlocks the password storage.