cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
xUxSxExR
Making moves
Status: New idea

Firefox Lockwise or how the integrated password-manager is called, it pretty good.

The syncing is centralized, but encrypted, so no problem here. I prefer Syncthing and Keepass, but while KeepassDX works perfectly on Android, KeepassXC doesnt work at all at the moment, so I use it.

 

While there is an option (which should be opt-out, not opt-in!) to encrypt the passwords locally using master passwords on Desktop, there just isn't one on Mobile! This is horrible, as anyone having access to your phone could also read your passwords.

 

Also, phones have fingerprint sensors very often. KeepassDX has a pretty good implementation for "modern unlocking", where the fingerprint unlocks the password and decrypts the vault.

 

This absolutely has to be integrated into Mobile, along with a general Fingerprint-unlock. I mean, its a privacy browser, and there are different factors of privacy. People having access to your browsing history and passwords, is one of the threats some people fear.

 

Thank you for this browser, its the only good non-Chromium one we have.

17 Comments
ansiklopedici
Making moves

@xUxSxExR 
Thank you for feedback and idea.
Firefox use lock screen password on Android device. After you set a lock screen password, try to access your passwords again.

Ekol
Strollin' around

I know Firefox devs have said they don't pretend to bring back master password to mobile, they have said it multiple times actually, but I still don't get their reasoning.

According to them, lock screen is more than enough, but that doesn't consider the very common use case where multiple people at a given home can know how to unlock a device. I may want to share my cellphone or tablet with my daughter so she can play a video game, but still be sure she won't mess with critical accounts from work. Like, I want her to play Stumble Guys whenever she wants without having to worry she may take down our web server just because I got distracted for a second. Most of my apps are quite harmless and I'm not afraid she mess with them, with the exception of something as powerful like a web browser. It's almost as critical as giving her open root access to a terminal.

Again, I get that having a master password in mobile doesn't make it more "secure" in the sense that it stays as hackable as without one, it doesn't really encrypt things, but still it would help as a deterrent for some unpleasant situations. And again, I don't get the reasoning specially because the same logic may be applied to computers: you can encrypt your partition and set a screen lock in most if not all operative systems, why is it different in mobile?

Detroit_yeet
New member

Mobile versions of Firefox should use a primary password

On mobile versions of Firefox, passwords are protected by your phone's own encryption instead of a primary password. On Android (which is what I use), this just means you have to re-enter the same passcode or PIN you use to unlock your phone (usually 4-6 numbers or a few words), and then you can see and copy any and all of the passwords you have saved in Firefox. This is much less secure than having a primary password, especially considering that if someone's snooping in your passwords like this, they either already know your phone's passcode or they're a hacker accessing your phone's files remotely, in which case they can brute force your passcode extremely easily.

I don't know how iOS encrypts your saved passwords, but I'm sure both versions could benefit from just having a primary password like the desktop version.

Jon
Community Manager
Community Manager

(Note: a similar idea has been merged into this thread)

Kelleck
New member

It just makes sense to have a second layer of passwords to something as critical as, well, your passwords. I'm not worried about encryption, I'm worried about someone seeing me input my iOS passcode into my phone, and then being able to access my passwords because this feature doesn't exist.

My banking app, for example, doesn't allow a fall back of the iPhone passcode, if your Face ID doesn't work you have to enter the actual password to your account.

Dedicated password mangers also have something similar to this, where you can have a different passcode just for the app.

 

xUxSxExR
Making moves

@EkolFor your use case a seperate Android account will be best. you can create one in the settings.

But you could encrypt the passwords locally? Look at what KeepassDX does, encrypted, opened (in RAM or in App storage idk) with a password, thats it.

@Detroit_yeetThe phones password or pin is protected like using fail2ban. You cant just brute-force all few thousand combinations to get the 5-digit pin right, it will be blocked after like 10 tries or so. Still using that password makes your phone very single-user-like

@KelleckYes KeepassDX is a good open-source example for this. It allows Fingerprint, Device password and custom password. In every case this login data creates a keyfile that then actually unlocks the password storage.

PizzaPizza
New member

It would still make sense to have Firefox Start Master Password 🔑. E.g. when somebody caught your Android Password then using Firefox when you have enabled autofill in automatically some logins for web services get available which is very critical here should be a secon barrier. At least optional. Worst case somebody can execute payments etc. (PayPal user login etc.)

Bhcurran1
New member

My cell says through Mozilla key password u can encrypt your cell phone.

Bhcurran1
New member

This is my biggest fear ,the fear of being g hacked, or getting viruses that you would think Active Armour and Norton would stop them in there tracks,thy let 32virsuses in my cell as subscription expired before I got my year paid again now my cell infected and my SD card ,so I got rid of chrome put in firefox ,but firefox has changed ,now you have to add Mozilla then in Mozilla you have to put in a master password where does all of this end a d I my self am 66 so I lose my pieces of paper I write on , lol things r way to complex these days but I get why they are. Hackers these hackers think we owe them ,we don't owe them anything. Work just like all of us had too.  If you want something work for. It is rewarding and it would simplify our browsers. I use to have Firefox ,you turned on all you wanted covered right through firefox ,not now. We have to keep adding on. Does it ever end???!!!

Bhcurran1
New member

Yes today I got a text that they bought concert tickets. What the hell is my account already hacked and I am not done completing the set up

tack
New member

When I sent my phone in for repair the repair person asked for my pin code (didn't boot anymore), because that would make his work easier debugging any issues. I would not have had any issues giving it to him, because all the other privacy/security sensitive apps I use have a secondary fingerprint unlock for anything important (banking, another password manager) or are less important. But not Firefox, and the passwords there I really did not want to expose to others), which caused them to have to factory reset my phone instead of being able to keep my data.

All that is to say that not having a 2nd unlock option for something so important as passwords is a really bad idea. I'd be happy for it to be opt-in, and optional, but not giving the option is (I think) really the wrong decision here. Please reconsider.

kylethayer
New member

I agree with everyone above. At least have an option to require primary password before using password auto-fill (or viewing passwords), so I can let me kids use my phone but not get all my passwords.

giacomomensio
New member

The biggest problem is not having any unlock request when using autofill inside the browser! We have fingerprint request when usin in other apps, but not when using the purple passwords into Firefox browser, this is absolutely crazy!

You must add an authentication request when using autofill inside Firefox browser immediately!

mmanu
New member

I agree with @giacomomensio, it would be a great security improvement to have an unlock request to use autofill function at least.

Romain
Making moves

Offer the option: "always ask to valid autofill password with lock-screen password"