The Mozilla Foundation has a podcast called IRL. In a recent episode they talked about passwords and basically ended the episode advocating the use of proprietary password managers, specifically LastPass and OnePass.

LastPass has had number of security breaches over the years. Mozilla is a non-profit that creates Free Software, and even has a password manager built into Firefox that is FLOSS, and even self-hostable. Why are they advocating people use inferior stuff to their own?

@emacsen The issue with the Mozilla password manager is that while the server component is pretty safe, the local part to my understanding is not very safe. The on-disk encryption is not good, and I don't believe it does stuff like prevent memory with passwords from being paged out. (I use the moz pw manager anyway, because the UX is much better for me than e.g. 1P, and I am willing to make the security trade offs.)

Moz has a project to make a safe local part called lockbox.


@kelly_clowers You're right. and also the fact Firefox can't handle non-web credentials also makes it less than ideal. I'm hopeful about Lockbox.

My beef is more that they didn't mention even one Free Software option, even though they're a Free Software org, and that really stinks.

Sign in to participate in the conversation
Mastodon is one server in the network