> Unfortunately, I no longer recommend Bitwarden for normal people because the built-in password manager in Firefox is too good
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.
Firefox password sync just works. It's one of those things I never think about.
Watching friends and family struggle with bespoke, poorly integrated password managers makes me cringe and is one of the big reasons I enjoy the seamless experience of the built-in Firefox password manager.
Does it require a Firefox account? Does it only store them locally if you haven't signed in to Firefox? This is the sort of failure I've seen, where people think their passwords are synced but because they didn't sign in years ago it's actually not backed up at all. At least on Chrome you get reminded of that all the time on YouTube/Google search, etc.
I know for Safari all the sync is via iCloud meaning if you're not signed in it's locally stored and vulnerable in that way. Especially as many people can't/don't sign in to their own iCloud on work computers, or don't have a Mac.
Firefox reminds you a bunch of times, too. Would be nice if you could just link a new device via QR code (creating an account for you in the background).
The original Firefox sync worked like this (with a unique code and pairing instead of an explicit account) (this is so on the nose I suspect you may know this).
Didn't expect to click on that link and end up on a blog post I wrote 10 years ago! The old Firefox Sync / PAKE stuff was fantastic for getting sync going between devices... but people wanted backup, not sync. I wonder if we'd do anything differently confronted with the same challenge today.
it just works for websites. it does not "just work" for apps where as the platform ones do or have a chance to work with apps.
Kind of hope regulation will force apple/google/ms to allow iterations for 3rd parties to integrate with the os but on the other hand that will open a host of issues
It does on iOS, but I believe the onus is on the app developer to enable the autofill feature in the form, or at least make sure that the app hints to iOS that it can be filled with a password. I'm making that assumption because there are lots of apps which don't trigger the native Apple password manager either (which is a lousy user experience). However, if one works then both do. The UI offers a choice of password manager and Face ID works to unlock it.
I use both. Apple's manager supports OTP generation which is nice, but on desktop websites, Firefox is often more convenient.
I use the Strongbox app on iOS [0] and the KeepassXC app my Linux laptop. The passwords.kdbx file sits on my Onedrive, which the Strongbox app can access. On Linux I use a Onedrive client [0] that I use to sync several folders within my home folder. Strongbox supports both Keepass and pwSafe database formats. It also integrates well with iOS, with autofill supported (also supports Yubikey unlock and Apple Watch unlock).
This discussion is about an open source password manager. I wonder why you are recommending a closed source software? Are you aware that many people prefer open source for security software for a reason?
Correct. I did not realise this and am disappointed, having paid a pretty penny for the lifetime license. Reading the github thread, the surreptitious way they changed things is a bit of a dick move.
Yep, it's the same problem on Android. Some app developers go full asshole with the password text boxes. There was one electric utility here that I lambasted hard and they finally fixed their form which not only didn't trigger the password manager, it literally blocked all pasting.
iOS already has all of the API required to integrate a password manager with the OS. Third party password managers can already integrate with both browsers and apps to provide passwords and password generation
Technically maybe someone could make you navigate to that url in the future, through mitm or some sort of DNS poisoning, and autofill a form with your password and then auto submit it.
That is such a laughable statement. 1Password has incredible UI/UX. Even has e-mail masking with Fastmail. And auto-enters TOTPs, for the less-important one’s you feel comfortable saving in your password manager.
Firefox sync made the criminal sin of implementing end-to-end encryption, enabling it by default, and being insufficiently clear to people that their passwords are lost forever when they forget the master password.
This provides a really terrible UX to "normal" users. I woulnd't recommend that option to anybody who doesn't already know what E2E is and what tradeoffs it has.
Google's implementation is a lot better in that regard, at least they offer plenty of avenues for account recovery.
Presumably the passwords themselves have recovery/reset procedures? I can't think of a good reason to add another risk surface to a password manager given that
I'm not sure how it is on iOS, but I've been using firefox as my password maanger on android. It's a trivial change in the settings and works across all apps as well.
I also recommend it to my friend group, as they can use firefox with uBlock Origin, and also have their passwords synced.
All serious browser vendors offer sync to logged in users. That’s multi-device, cross platform and pretty foolproof. I still prefer Bitwarden because of self-hosting and integrating nicely with the iOS ecosystem. But there’s not much wrong with the browser approach.
I have the opposite problem. If I forget to log into bitwarden, passwords just get saved into firefox / chrome, so now I've got some passwords in bitwarden, some in chrome, some in firefox, and worst of all bitwarden doesn't seem to have an easy way to unify these databases.
This is obviously true for the HN crowd, but for normal people I think there's a distinction. Don't underestimate the value of centering a brand and an icon on a home screen around a single function.
> Interesting, I've always felt that browser-based password managers provided remarkably little value for most people.
They provide the value of "you should, by design, have no idea what most of your passwords are; if you know any significant number of your passwords you probably have bad passwords".
And both Firefox and Chrome sync passwords between devices.
The comment I was replying to said "browser-based password managers provided remarkably little value"; it didn't say "little value relative to other password managers".
Much as with cell phone cameras, "the best camera is the one you have with you"; the best password manager is the one you have with you.
Interesting, I've always felt that browser-based password managers provided remarkably little value for most people. Using them on mobile is tricky and platform dependent, it's easy to have local-only, non-synced data and then lose it, and being multi-device is trickier, especially in a work context.
On the other hand, people generally understand installing an app on each device they own and that app doing it for them.