The Mozilla Foundation has a podcast called IRL. In a recent episode they talked about passwords and basically ended the episode advocating the use of proprietary password managers, specifically LastPass and OnePass.
LastPass has had number of security breaches over the years. Mozilla is a non-profit that creates Free Software, and even has a password manager built into Firefox that is FLOSS, and even self-hostable. Why are they advocating people use inferior stuff to their own?
@emacsen I was always surprised how many of the self-styled infotech experts on Twitter talk up such solutions. There were various demographics from academic types to those with edgy handles and avatars but they seemed of a piece on this whatever else they would argue over.
@krozruch I know not everyone agrees with me on the issue of LastPass or OnePass. Let me also be clear on something...
Even the proprietary solutions are better than password re-use. Significantly. But Mozilla makes Free Software. If they don't believe in their own stuff, fix it. And if they do, promote it. Don't promote proprietary stuff, or at least present Free alternatives.
@emacsen I couldn't get very far with keepass when I tried to set it up recently. I expected it to be easier to link to firefox etc. Not looked into self-hosting Firefox's password manager. I should look into it more.
@krozruch We're thinking that if there's a week without Chris being available for LibreLounge, maybe I'll talk about my password setup. Think people would be interested?
@emacsen I think I would. But then I also think I need to add your podcast to my org-mode - done - as I haven't manged to listen yet :(
@emacsen @cwebber @librelounge So listened to the first and learned a lot. Only now getting into org-mode but it was interesting to hear it described, essentially, as ADHD-proof. This has been my experience (or my hope) and I have previously tried everything from Toodledo to OmniFocus to expensive notebooks to weird uses of poker chips and abacuses.
@kelbot @emacsen The spiele I got from the Mozilla guy at a Linux Days thing here in Prague some time ago made me feel that they had adopted many of the goals of Google if not their methods. It was like they wanted to build a somewhat crapper version of the Star Trek computer, but build it all the same. Nice guy & all, but I am increasingly seeing a cuddlier style of Google-type development one step removed from source - which is apt. (I see the same in Creative Commons in the cultural sphere.)
@emacsen All the folks who could fix it quit about three years ago. As far as anyone is concerned, it's unmaintained code.
@emacsen I don't know about Syncserver, but Password Manager for sure. They all signed on at the last place I worked just before I quit.
@emacsen I doubt they have time to develop a cross-platform password manager, considering that developing VR browsers and setting up art installations in central London are both quite time-consuming.
Let me be very clear... I love Mozilla. I want them to keep doing amazing things. I am annoyed they're promoting proprietary software and services when they could promote their own stuff instead.
@emacsen Yes, I'm aware that Firefox Sync is still a thing. But it is, also, a "browser thing". So while it will let you save a lot of site login information, it is not a solution for other kinds of passwords, such as machines, cards, or apps. That I expect is the reason why they are promoting other software.
@emacsen [Also, since it was evidently not clear that my response was sarcasm; I enjoy poking fun at Mozilla's habit of staging expensive "experience" installations, even though I've been to those and they are demonstrably educating a lot of people about privacy and software freedom issues.]
@emacsen LastPass and OnePass are fine. And better than e.g. keepass for "average" users.
@emacsen The issue with the Mozilla password manager is that while the server component is pretty safe, the local part to my understanding is not very safe. The on-disk encryption is not good, and I don't believe it does stuff like prevent memory with passwords from being paged out. (I use the moz pw manager anyway, because the UX is much better for me than e.g. 1P, and I am willing to make the security trade offs.)
Moz has a project to make a safe local part called lockbox.
@kelly_clowers You're right. and also the fact Firefox can't handle non-web credentials also makes it less than ideal. I'm hopeful about Lockbox.
My beef is more that they didn't mention even one Free Software option, even though they're a Free Software org, and that really stinks.
@tagomago @emacsen As far as I have talked with #GNU #IceCat and other reviewers in #fsf IRC channel on chat.freenode.net, it is a software freedom issue because of the #trademark policy. These are good to have, even #GNU has one for their logo, but #Mozilla's is problematic because it forbids one of the freedoms that the software ought to have according to the #FreeSoftware Definition.
Yes, I agree. I don't think that's an incorrect statement if we follow the book. It's just that it seems to me like a very easy non-freedom to solve: you just rebrand the code and it's free. I think that's what Debian and GNU did with IceWeasel and IceCat, besides adding their own features to the mix, but maybe I'm wrong.
@emacsen padlock.io is a good open source alternative to one pass/lastpass.
emacsen.net is one server in the network