The Mozilla Foundation has a podcast called IRL. In a recent episode they talked about passwords and basically ended the episode advocating the use of proprietary password managers, specifically LastPass and OnePass.

LastPass has had number of security breaches over the years. Mozilla is a non-profit that creates Free Software, and even has a password manager built into Firefox that is FLOSS, and even self-hostable. Why are they advocating people use inferior stuff to their own?

@emacsen I was always surprised how many of the self-styled infotech experts on Twitter talk up such solutions. There were various demographics from academic types to those with edgy handles and avatars but they seemed of a piece on this whatever else they would argue over.

@krozruch I know not everyone agrees with me on the issue of LastPass or OnePass. Let me also be clear on something...

Even the proprietary solutions are better than password re-use. Significantly. But Mozilla makes Free Software. If they don't believe in their own stuff, fix it. And if they do, promote it. Don't promote proprietary stuff, or at least present Free alternatives.

@emacsen I couldn't get very far with keepass when I tried to set it up recently. I expected it to be easier to link to firefox etc. Not looked into self-hosting Firefox's password manager. I should look into it more.

@krozruch We're thinking that if there's a week without Chris being available for LibreLounge, maybe I'll talk about my password setup. Think people would be interested?

@emacsen I think I would. But then I also think I need to add your podcast to my org-mode - done - as I haven't manged to listen yet :(

@krozruch @cwebber recently added the ability to play @librelounge directly from the website. - no need for an aggregator (unless you roll that way)

@emacsen @cwebber @librelounge I must admit that I normally play podcasts through Pocket Casts on Android (!) or Overcast on iOS (!). My first smartphone was Ubuntu Phone but... well. Anywat, I had failed to search for you on the latter, but just added it from the url.

@emacsen @cwebber @librelounge So listened to the first and learned a lot. Only now getting into org-mode but it was interesting to hear it described, essentially, as ADHD-proof. This has been my experience (or my hope) and I have previously tried everything from Toodledo to OmniFocus to expensive notebooks to weird uses of poker chips and abacuses.

@emacsen @krozruch I speak on password managers at least a couple times a year and would love to hear about your setup

@emacsen All the folks who could fix it quit about three years ago. As far as anyone is concerned, it's unmaintained code.

@emacsen I don't know about Syncserver, but Password Manager for sure. They all signed on at the last place I worked just before I quit.

@emacsen I doubt they have time to develop a cross-platform password manager, considering that developing VR browsers and setting up art installations in central London are both quite time-consuming.

@n8 Firefox Sync is still a thing AFAIK, and they seem to be working on a new thing called Lockbox.

Let me be very clear... I love Mozilla. I want them to keep doing amazing things. I am annoyed they're promoting proprietary software and services when they could promote their own stuff instead.

@emacsen Yes, I'm aware that Firefox Sync is still a thing. But it is, also, a "browser thing". So while it will let you save a lot of site login information, it is not a solution for other kinds of passwords, such as machines, cards, or apps. That I expect is the reason why they are promoting other software.

@emacsen [Also, since it was evidently not clear that my response was sarcasm; I enjoy poking fun at Mozilla's habit of staging expensive "experience" installations, even though I've been to those and they are demonstrably educating a lot of people about privacy and software freedom issues.]

@emacsen LastPass and OnePass are fine. And better than e.g. keepass for "average" users.

@emacsen The issue with the Mozilla password manager is that while the server component is pretty safe, the local part to my understanding is not very safe. The on-disk encryption is not good, and I don't believe it does stuff like prevent memory with passwords from being paged out. (I use the moz pw manager anyway, because the UX is much better for me than e.g. 1P, and I am willing to make the security trade offs.)

Moz has a project to make a safe local part called lockbox.

@kelly_clowers You're right. and also the fact Firefox can't handle non-web credentials also makes it less than ideal. I'm hopeful about Lockbox.

My beef is more that they didn't mention even one Free Software option, even though they're a Free Software org, and that really stinks.


Actually it's a branding issue, not what one'd normally expect as "non-free software" situation.


@tagomago @emacsen As far as I have talked with #GNU #IceCat and other reviewers in #fsf IRC channel on, it is a software freedom issue because of the #trademark policy. These are good to have, even #GNU has one for their logo, but #Mozilla's is problematic because it forbids one of the freedoms that the software ought to have according to the #FreeSoftware Definition.

@adfeno @emacsen

Yes, I agree. I don't think that's an incorrect statement if we follow the book. It's just that it seems to me like a very easy non-freedom to solve: you just rebrand the code and it's free. I think that's what Debian and GNU did with IceWeasel and IceCat, besides adding their own features to the mix, but maybe I'm wrong.


Does their password manager have a standalone version?

They wanted to address everyone, not only people who have the option of using Firefox.

One of the things I think a lot of FOSS advocates overlook is that 'this is 100% free software' is not actually a major selling point to ordinary users. They don't care. They just want to get things done, and they'll use the tools they have available and are comfortable with.

So if a user is using Safari or Edge, popping up with "hey you can use Firefox instead, it has a password manager built in" isn't useful. Learning a new program costs time and energy, and "Firefox and password management" costs more than "password management with my current flow". More than that, the proprietary password managers mentioned have mobile versions and so can integrate in to environments where the user can't install Firefox.

Now, all this isn't to say that Mozilla couldn't recommend a FOSS solution—but they'd have to develop and deploy it, and provide tools for helping users switch over. And maybe they don't have the resources to do that. But, telling people to use a whole new browser to get password management isn't helpful.

@emacsen is a good open source alternative to one pass/lastpass.

Sign in to participate in the conversation

The social network of the future: No ads, no corporate surveillance, ethical design, and decentralization! Own your data with Mastodon!