November 20, 2021
Mozilla announced last week that it would end support for its Firefox Lockwise password manager app on December 13, 2021. It means users will no longer be able to install or reinstall Firefox Lockwise from the App Store or Google Play Store. Although the users who have installed the app can continue to use it on devices, it's better not to do so because it will no longer receive any security updates.
Now, Firefox Lockwise users face two choices. Either use the built-in password manager of the Firefox browser or find another independent password manager.
If reducing data migration cost is the most crucial point for you, the former choice is the best.
However, the Firefox browser's built-in password manager also has some cons.
Android users can access the password autofill functionality offered by the Firefox browser instead. If you use iPhone, you have to wait for Firefox to roll out that feature. Before that, you may still need to use copy and paste, which may leak your password because any app can read the pasteboard.
It would be really inconvenient if you still use Chrome or other browsers. Because supporting Autofill on Chrome needs accessibility services on Android or a browser extension on desktop.
The security of browser password managers relies on the browsers, which are hackers' favorite targets. Check this out Opera sync servers hacked, usernames and passwords at risk
In July this year, in the post You should turn off autofill in your password manager, Marek Tóth mentioned that Firefox browser password manager fills in passwords without requiring user action, and hackers can use XSS vulnerabilities to steal passwords.
Other independent password managers may be more secure and feature-rich than the Firefox browser password manager. Here are a few tips for choosing alternatives to Firefox Lockwise users.
At least to use second-generation password managers, which mainly rely on the master password to encrypt data. Generally speaking, as long as the master password is long, complex, and not disclosed, password managers can protect your data well. Check this out 👉 The Evolution of Password Manager (2/4)
In addition to data encryption methods, each password manager has other security designs to enhance data protection capabilities, such as no Internet access, enabling 2FA, etc.
There is no denying that autofill is fantastic. However, it exposes an attack surface at the same time. Hackers might be able to loot passwords by abusing autofill. A research paper Revisiting Security Vulnerabilities in Commercial Password Managers said that none of those password managers could defend against all the attacks as follows.
Besides passwords, other information related to account security, such as one-time passwords, recovery codes, answers to security questions, rescue email addresses, etc., are also really important to save. After all, for high-value accounts, only depending on password protection may not be enough. Check this out Your Pa$$word doesn't matter
Last but not least, if a password manager does not support the data format exported from Firefox Lockwise, you'd better give it up. Unless you have the patience to enter passwords one by one🤦.