It is often said that the best tool is the one you have with you. Although nowhere as fully featured as either KeePass or commercial password manager software, the Firefox browser will remember passwords entered into web forms, and provides the option to encrypt them with a master password. These passwords can then by synced across devices using Firefox sync.
Passwords not secured by a master password can in no way be considered safe, as anyone with access to your browser will be able to see them (this access need not be physical – a hacker can easily obtain unsecured passwords too). Google Chrome and Microsoft Internet Explorer do not protect passwords with a master password, making Firefox by far the most secure mainstream browser to integrate password management features.
In addition to this, Firefox is open source and does not pass personal information on to its parent company (as Chrome and IE do). Firefox is, therefore, our recommended browser generally, and can be made even more secure using our suggested add-ons and tweaks.
Pricing and Features
Firefox is developed by the non-profit Mozilla Foundation and is completely free (in every sense of the word as it is also open source).
As already noted, using Firefox to manage your browser means sacrificing features standard to stand-alone dedicated password manager programs.
Probably the most important of these is that Firefox does not generate strong passwords for you. This means that even if you make a big effort to think of new complex passwords for every website you visit, these are unlikely to be anywhere near as strong as ones generated by a computer program. After all, are you going to think up passwords such as ‘03qx@s5″E6CRE5MHn~=e’ all the time?
Another major issue is that the built-in Firefox manager only stores passwords entered into web forms in Firefox. It therefore cannot be used to store passwords for your other programs, or other information that you want kept secure (such as bank details.)
Aesthetics, usability and customer support
The Firefox password manager is simply a feature of Firefox, and shares a common interface with the browser (its limited settings are accessed through Options -> Security tab.)
Thanks to simplicity and native browser integration it is undoubtedly the easiest password manager to use. This is, however, something of a security risk, as it remembers passwords by default, but does not use a master password by default… if you plan to save sensitive passwords using this manager, you must TURN ON SAVED PASSWORDS!!!
Security and privacy
Assuming that a strong (and unique) master password has been set, local storage of passwords in Firefox should be secure, as they are encrypted using a 256-bit AES cipher (as utilized by the US government for sensitive data, and generally considered very secure).
The situation when using Firefox Sync is very different, however…
Until early 2014 Firefox Sync used a very robust system to secure users’ data. However, many found this very confusing to use, and it offered no way to recover or reset lost or forgotten passwords. Responding to users’ feedback, Mozilla moved to a more traditional cloud-based syncing solution based on the traditional username and password formula.
Importantly, although Firefox Sync passwords are encrypted locally (end-to-end), a key used to secure them is generated from the username and password, which is stored online by Mozilla. If a user loses or forgets their login details, this key can be used to reset their password.
While pretty secure (and very convenient), this does mean that Mozilla can in theory access users’ Firefox Sync accounts, including unsecured (no master password) passwords. And if Mozilla can do this, in theory, hackers can too. Technical details of this system can be found here.
This problem was compounded by the fact that early iterations of the new Firefox Sync feature did not sync passwords unless the master password was turned off! Mozilla reportedly fixed this problem since Firefox version 34, but we were unable to retrieve passwords on another device that were protected by a master password (we tested on two Android devices).
This is a major issue and effectively makes Firefox useless for securely syncing passwords across devices. For less secure passwords, the current system may be an acceptable compromise in return for the convenience of cross-device/platform syncing, but we do not recommend trusting your bank passwords to it!
The beauty of using Firefox to manage your passwords is that operation is almost entirely transparent. The browser simply saves passwords when you enter them into web forms, and will-auto-complete them when you visit the web page again.
To make passwords secure, you mustset a master password (and choose a strong one!)
The limited management t options that are available can be found by going to Menu -> Security tab in Firefox. Here can prevent Firefox remembering the passwords for some websites (‘Exceptions), and view or delete Saved Passwords.
And that’s about it!
As noted, we strongly recommend not disabling the Master Password so that saved passwords can be synced across platforms.
If Mozilla fixes this problem, Firefox is available for Windows, OSX Mac, Linux, and Android (and an iOS preview has just been released). Firefox Sync should work across all platforms.
If you use Firefox (as you should), then you already have it!
Almost completely transparent in use
Strong encryption for passwords stored locally
We weren’t so sure about
Very basic password management
No strong password generator
Only works within Firefox browser
Firefox Sync does not appear to work with Master Password enabled, making cross-device/platform password syncing
If your password management needs are modest, and mainly revolve around accessing websites and services through your local browser, Firefox’s built-in password manager has much to recommend it as, it is very convenient and uses strong local encryption.
It is a shame that this healthy security is not carried through to the password syncing feature of Firefox Sync, which effectively makes Firefox useless (at best, dangerous at worst) as a platform for syncing passwords across devices, and which deeply undermines its utility.
Anyone, therefore, who has more advanced password needs, or needs to access their passwords on more than one device, should look elsewhere.