Safety of password managers as an addon to Firefox

  • Release Candidate 6
    Guest:
    We are at a “proposed final” true release candidate with nothing known remaining to be changed or fixed. For the full story, please see this page in the "Pre-Release Announcements & Feedback" forum.
    /Steve.
  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.

squirrel

Active member
Oct 4, 2020
36
10
This weeks episode sent a chill down my spine when Steve was talking about crypto addons and the inadvisability of using them. I don’t do crypto at all in any shape or form, but I do use Bitwarden on iOS and as an addon in Firefox using Linux. I gave up Windoze, I never did 10.

I’m now thinking that I shouldn’t be using Bitwarden in a Linux Ubuntu Firefox, can anyone persuade me that I don’t need to worry and to carry on using it?
 
There is no way to remain perfectly safe, except to stay off the Internet and or to turn of the PC and never use it. Otherwise, just keep your system/browser up to date, take all the usual steps to avoid getting malware in your system, and stay logged out of your password manager when it's not in use.
 
This weeks episode sent a chill down my spine when Steve was talking about crypto addons and the inadvisability of using them. I don’t do crypto at all in any shape or form, but I do use Bitwarden on iOS and as an addon in Firefox using Linux. I gave up Windoze, I never did 10.

I’m now thinking that I shouldn’t be using Bitwarden in a Linux Ubuntu Firefox, can anyone persuade me that I don’t need to worry and to carry on using it?
You should be fine assuming you are using 2FA with Bitwarden + strong master password. Also, make sure to go through all the options in Bitwarden to harden it to your satisfaction. Same advice with LastPass.

I would REALLY like to see @Steve and Leo address the elephant in the room regarding Bitwarden/Lastpass. We all know LastPass was bought and eliminated their free tier, but I would be curious to know if Steve’s LastPass recommendation still stands or if he jumped ship to Bitwarden.
 
Maybe more concerning is the move of most password managers to the cloud. Though they claim that most are moved encrypted, the idea of having all my keys in the cloud doesn't encourage me much. It becomes a more attractive target since thousands of people store their passwords there. Also, should a vulnerability in the methods used to be found, it would become a brighter light to attract the flies.

Though having my storage locally might not be more secure, I'm not that interesting to attack. Though nothing guarantees there isn't anything looming already inside my network or even my computer.

Some things shouldn't be sent to the cloud, but it has become the current model
 
As it has been repeatedly said, you sacrifice convenience for security. Use an offline manager, and usually forget to sync my mobile with the main db. Will do it whenever I need to use a service from my phone. You can compartmentalize your logins into multiple vaults and you don't need to sync all to your mobile.
 
  • Like
Reactions: squirrel
As it has been repeatedly said, you sacrifice convenience for security. Use an offline manager, and usually forget to sync my mobile with the main db. Will do it whenever I need to use a service from my phone. You can compartmentalize your logins into multiple vaults and you don't need to sync all to your mobile.
Yes, I’ve been mulling this problem over the past few days and have come to the same conclusion as you and I’m going to re shuffle everything on the lines you suggest. Im currently looking up how to shift, or set up, the vault on my home network. Thanks for confirming my thoughts.
 
Regarding extra security for password manager content...

`don't know if this has been mentioned - but the passwords contained in the password manager don't necessarily need to be the password that will work for the login. For higher risk accounts (financial / domain name registrar / e-mail accounts used for password reset for financial accounts) one might apply a remembered rule to the password manager pre-filled password before hitting login (copy paste from PW manager to login, apply rule, click login).

The rule would be adding/removing (or both) content at a specific position of the filled password (which is typically a set of uniform dots)

Should an undesired party get access to the unencrypted password manager content, they still don't have a working password to copy/paste for the high risk accounts (and hopefully won't have a method to reset a password for a high risk account).
 
Regarding extra security for password manager content...

`don't know if this has been mentioned - but the passwords contained in the password manager don't necessarily need to be the password that will work for the login. For higher risk accounts (financial / domain name registrar / e-mail accounts used for password reset for financial accounts) one might apply a remembered rule to the password manager pre-filled password before hitting login (copy paste from PW manager to login, apply rule, click login).

The rule would be adding/removing (or both) content at a specific position of the filled password (which is typically a set of uniform dots)

Should an undesired party get access to the unencrypted password manager content, they still don't have a working password to copy/paste for the high risk accounts (and hopefully won't have a method to reset a password for a high risk account).
Yes, very good idea, I do actually do just that for my high value accounts.
 
I've been using BItwarden. For a couple sites of value and one email account I just don't have them in BW. Those couple are kept in a 'scrambled' format on paper. That doesn't prevent all the vulnerabilities mentioned above (such as key loggers) but gives a little extra security in some cases.
 
  • Like
Reactions: squirrel