Rolling your own password management solution

FWIW, I have passwords for about 300 services. I’ve created them all by hand and most (including all of the sites that matter) are pretty secure.

But I definitely don’t have them all memorized. They’re stored in a text file on my desktop Mac (NOT mirrored to any cloud service!) and the ones I use most often are stored in Firefox’s built-in password manager (which is mirrored to all of my Firefox installations via Firefox Sync).

When I travel, I may bring the text file with me on my laptop, but when I do, I keep it in an encrypted disk-image (whose password I do not store in the keychain), to protect against the possibility that the computer might get stolen.

Re: Rolling your own password management solution
“Laziness is the mother of invention” – Anon
Add to that my marvelously dyslexic typing, I concluded that a good Password Manager is mandatory for me.

Since I do not have the security programming chops to create and maintain a password manager for multiple physical and OS instances, exacerbated by lack of time and ambition, a Subscription to 1Password or the like became an inescapable conclusion.

Your business/personal case may differ.

I used to use the FF password manager to store logins, for years… it was very convenient, similar to the Mac’s own keychain (but less buggy, as I recall)… then I got nervous about it, and stopped using it. But I don’t remember why I got nervous about it. What is your impression of its security? Has anybody seriously analyzed what it’s doing under the hood? Does it upload anything to Mozilla’s servers (or anywhere else) for “syncing” purposes?

More cloud vaults hacked!

A major tech site has an article about two major new cloud-service breaches – one of them a security-oriented service, though not a password manager – which they lump in with the LastPass breaches. They also suggest a spillover effect is possible, since so many of these kinds of services use each other’s services for various things.

The range of user comments/opinions are kind of similar to those here, in a way, but overall it’s shorter (so far) than this thread. Check it out.

What the ultimate authority on encryption says…

The two most credible and expert security voices in the world, IMHO, are the encryption expert Bruce Schneier, and the computer-security journalist Brian Krebs. (Each have their own website.)

You’ll find a very brief summary of Schneier’s attitude towards cloud-based password managers here. He mentions his own security project, which I haven’t looked into yet… but he also says:

" My particular choices about security and risk is to only store passwords on my computer—not on my phone—and not to put anything in the cloud. In my way of thinking, that reduces the risks of a password manager considerably. Yes, there are losses in convenience."

Essentially the same as what I’ve been saying here, isn’t it? (Although I don’t have any security expertise and don’t claim any, just a gut feeling.)

Yes, we are interested in creating a password manager — thanks for a great road map.

The companies are chat service Slack and software testing and delivery company CircleCI.

If you don’t enable the Firefox Sync feature, then the database is stored locally in your profile (logins.json) and it never leaves your computer. Each record in there looks like:

{"id":6,
 "hostname":"https://www.example.com",
 "httpRealm":null,
 "formSubmitURL":"https://www.example.com",
 "usernameField":"...",
 "passwordField":"...",
 "encryptedUsername":"....",
 "encryptedPassword":"....",
 "guid":"{00000000-1111-2222-3333-444444444444}",
 "encType":1,
 "timeCreated":1308628396205,
 "timeLastUsed":1654022880149,
 "timePasswordChanged":1343726148177,
 "timesUsed":13},

The user names and passwords are encrypted. I don’t know where the key comes from, but appears to be locally-generated and different on each computer, since the encrypted strings are different on different computers, even after they have been sync’ed together.

If you configure a primary password for your passwords, then Firefox will not allow access to the contents without the password. Without this password, anyone running Firefox can go to the password manager (in the app) and view the contents.

I noticed that logins.json file does not change when a primary password is enabled, so I suspect that under the covers, the system creates a random encryption key and stores it somewhere in your profile, with the primary password encrypting that key. But I’m not sure.

If you enable Firefox Sync, then the data is end-to-end encrypted using a key derived from your Firefox account password. (So make sure that that one is particularly secure!) The encrypted database is stored on FF’s cloud server. Login credentials to that server are authentication tokens cryptographically derived from your account password - so they never receive your actual password and (they claim) it is impossible to derive the encryption key from the authentication token.

Anyone can configure Firefox to sync your passwords, but they would need your FF account password to download and decrypt the file. And if you have 2FA enabled on your FF account, they’ll also need that in order to initiate the download.

I assume the data encrypted by the sync service contains the plaintext user IDs and passwords, since the locally-stored versions seem to use different keys on different computers, even after they have been sync’ed.

As for an analysis of how secure this system is, I’ll leave that to others, but here are a bunch of articles that explain how they say it works, along with an audit report from 2017.

See also:

• How Firefox securely saves passwords | Mozilla Support
• Where are my logins stored? | Firefox Help
• Use a Primary Password to protect stored logins and passwords | Firefox Help
• Master password - MozillaZine Knowledge Base
• Private by Design: How we built Firefox Sync - Mozilla Hacks - the Web developer blog
• A Security Audit of Firefox Accounts - Mozilla Security Blog

@ David C. Shamino:

Excellent, detailed reply with lots of useful information. Thanks, David.

Now if I only I could remember why I stopped using the FF password manager, years ago… something must have made me nervous…

One thing I recall is that, since Thunderbird (email program) back then was also from Mozilla, I had the same master password for both. Now that Tbird is basically independent of Mozilla (I think), I suppose it ought to have its own separate password.

1PW8 currently (well since August) suffers from annoying issues with FaceID not working — waiting for the fix, I went back to 1PW7 for the time being

I don’t have that problem. I hope it gets worked out for you. I was having an issue early on with the extension for iPad OS, but that’s been better for months now.

This, again, would be an issue if Firefox/Mozilla has their data store stolen as Lastpass did. With 1P and iCloud Keychain, there is another key that tangles with your password. The 2FA on Firefox sync wouldn’t help you in that case - they already have the data.

Chrome has a similar system but IIRC it defaults to using just your account credentials to encrypt. But you can optionally add a sync password that does make it stronger. But, again, the same issue if the data is lost.

(I’m hoping that Google and Mozilla have better security over their backup data than Lastpass did.)

I don’t think so.

As I understand the Firefox documents, your password is used to generate two different cryptographic tokens. One is the encryption key for the data, and the other is an access token for logging in to the web site. And you can’t derive one from the other.

According to their documents, your plaintext password is never sent to their server. It is only used locally to generate the key and access token, only one of which (the token) is shared with the Firefox server.

If someone gets your plaintext password, then yes, you’re SOL, because that generates both.

But if someone hacks their server, they will get the encrypted data and the access token. But they shouldn’t be able to generate the decryption key from that access token. They would need to run through the usual password-cracking mechanism (dictionaries, brute-force, etc.) to try and access the data. Either to determine the key for decrypting the data or to determine the plaintext password for generating the access token (which can then generate the decryption key).

In other words, as far as I can tell, the security of your data will almost entirely depend on the security of your chosen password. So pick something with sufficiently high length and complexity (based on whatever you personally consider sufficient) and I think it will be fine.

I heartily endorse Joe Kisell’s Take Control of Your Passwords

After a bit more web searching, I found that yes, the password database is encrypted using a locally-stored key stored in a file named key4.db. Your master password encrypts this file.

If you don’t have a master password, then this file is left as plaintext, and anyone copying it along with logins.json can then copy it to a newly-created Firefox profile and read/export the contents. If there is a master password, then someone could still copy it to a new system, but they’d need the master password to decrypt everything.

Which means that if this is a concern for you, a master password with a strong password will be important.

I can’t believe anyone here is actually talking about remembering more than two or three important passwords (i.e. Apple ID/iCloud, 1PW master password, Firefox master password, etc.) It’s just not possible. And I say that as someone who has found myself to be something of a ‘password savant’ (). I work as a one-man “Mac Doctor”, helping clients with all manner of issues on their Apple devices. I’ve found that I often sit down in front of a regular client’s Mac, even if I haven’t seen them in months, and their login password will just come to me. Of course, these passwords are all simple, old-school ones such as Maggie1, mydoghasblackstripeS4$, Mom’s4*kids, etc. Strange, nonetheless, eh? I also have probably close to a dozen of my own regularly-used passwords memorized, though they’re mostly in the 12-16 character range. My primary wifi password is 20 characters; it’s essentially a long made up word with a number and a symbol.

Bottom line though, is that everyone needs some sort of ‘password manager’, even if it’s just a piece of paper. We simply can’t be expected to remember the kinds of passwords we’ve been discussing here. (Even weirdos like me. ) I’m currently a very unhappy user of 1PW; the mess they’ve made of it in version 8.x? Don’t even get me started on that…

Bottom line though, is that everyone needs some sort of ‘password manager’, even if it’s just a piece of paper. We simply can’t be expected to remember the kinds of passwords we’ve been discussing here. (Even weirdos like me. ) I’m currently a very unhappy user of 1PW; the mess they’ve made of it in version 8.x? Don’t even get me started on that…

Yep…I remember the 5 login passwords for my Macs, 1PW master, and AppleID…but beyond that they’re all in 1PW v7 and will never be in v8 unless they fix the many issues and lost capabilities over v7…but their VC part owners are driving the train now and they e refocused on enterprise customers and subscriptions to the detriment of regular users.

Apparently 600,000 is now recommended.

https://support.lastpass.com/help/security-bulletin-recommended-actions-for-free-premium-and-families-customers

At a former workplace, we used an electric typewriter to do this. It was capable of re-printing pages, and was not internet connected. That way, nothing internet connected had a glimpse of the passwords.

Well, maybe some of these people! World Memory Championships - Wikipedia