Is Firefox Password Manager less secure than LastPass?

Question

After installing the LastPass password manager, I am presented with a login dialog including the option to "Disable Insecure Firefox Password Manager".

(This option appears as long as the Firefox Password Manager is enabled, whether or not a master password is being used.)

LastPass login screen

Is Firefox less secure than LastPass for the same tasks under the same implied threat model?

Important: For an apples-to-apples comparison, this would mean comparing LastPass to:

Firefox Password Manager (local storage)
with Master Password (local encryption/security)
and Firefox Sync (remote storage, encryption/security and device synchronization)

(not comparing LastPass to unsynced Firefox without Master Password). I assume the threat model is something like daily browser use, including entering passwords for online banking etc, and storing and sharing login credentials between browser installations on different machines you own.)

(My initial research reveals complaints and vulnerabilities in old (pre-Sync) versions of Firefox, including confusion about which login components are encrypted and which are not, suggestions that new Sync is "zero-knowledge" (but no clarification on what is stored in plaintext locally), claims that LastPass uses JavaScript for encryption and is therefore inherently insecure and, most confusingly, endorsement of LastPass from Mozilla.)

soft migration of http://skeptics.stackexchange.com/questions/23584 based on comments there — lofidevops, Oct 23 '14 at 13:55
I disagree with the `primarily opinion-based` flags - this is not opinion based if solid reasons are given either way about specific points, even if overall the answers don't reach a specific conclusion. — SilverlightFox, Oct 23 '14 at 16:30
A key difference between Firefox and LastPass is that the former is open-source. Would be interesting to see someone review the code to the password storage and sync functionality in Firefox and compare them to whatever details are public for LastPass. — Iszi, Nov 23 '14 at 10:47
Why would anyone use LastPass given they spy on all your network activity? It says so right in the [terms of service](https://www.logmeininc.com/legal/terms-and-conditions) which referrer to their [privacy policy](https://www.logmeininc.com/legal/privacy). It basically says they collect all data the possibly can, combine with it with data get they get from 3rd parties, share it with business partners, and basically completely spy on you. — gman, Aug 17 '19 at 16:50

score 10 · Answer 1 · edited Dec 28 '20 at 18:15

10

In my opinion, Lastpass is referring to the Firefox password manager insecure when the user is not using master password for Firefox. Which won't be apples-to-apples comparison.

Firefox uses 3DES for storing passwords and in case master password is not set, null ("") is used, which is insecure for sure. To read in detail about how Chrome, IE and Firefox store passwords, refer to this excellent article.

If master password is used (and strong enough), then I don't see that it will be easy to crack the passwords, given there are no implementation bugs.

edited Dec 28 '20 at 18:15

Catskul

301
2
9

answered Nov 24 '14 at 09:44

Jor-el

2,061
17
24

that's a great article - any comments on Firefox Sync? – lofidevops Nov 25 '14 at 07:41

score 1 · Answer 2 · answered Nov 24 '14 at 11:59

The checkbox in the screenshot refers to the Firefix Password Manager without Master Password, although it doesn't check and it works in both cases. I guess most of the time people use the password manager in Firefox without master password. They login to a site, Firefox offers to store the password, they agree, and that's it. This is the use case for most people, but probably not for the visitors of this site.

So when Lastpass asks this question they oversimplify, but I guess with good reason. The "normal" user won't be confused and can check this box. Removing the passwords from the unprotected Firefox password manager is a good idea, as you've already decided to use Lastpass.

As is answered here already, when using a master password, it is pretty safe. Then it comes down to features and risks, and both have pros and cons. Most of Lastpass features can be added with addons to the Firefox Password Manager.

I have used both, first Firefox, then Lastpass, then again Firefox and now Lastpass... The reason to choose Lastpass in the end is because I realized I became sloppy and all those features in one place makes it a good deal. If you don't trust the upload-feature completely, use Keepass to keep some passwords offline.

Gudradain · Answer 3 · 2014-10-23T15:40:04.330

The 2 are different.

The password manager included in your browser usually store your password on your file system and protect them using your operating system account. For example, on windows, if you want to view your saved passwords you need to enter your windows credentials.

Lastpass on the other hand store your passwords on their server and encrypt them using the master password associated with your lastpass account.

Let's look at the problems of each

Browser password manager : It assumes that your operating system account is secure. If someone else know your operating system account password they can steal all the password in your manager. In chrome, for example, it seems that your password are simply in plain text on your file system. So, if you let your session open and left your computer, anyone can steal you password. An administrator of the operating system can probably do it aslo...

But with Firefox, you have the option to select a master password to encrypt/decrypt your password. If you select this option, your passwords should be safe even if someone else access your computer.

Lastpass : It assumes that you are the only one to know your master password, which is probably true. On the other hand, if someone is able to find your master password (maybe by hacking into lastpass) then they will have access to all your passwords.

I would say that both options are good enough : firefox with master password and lastpass.

About the use of javascript to encode your password.

I would say it's mostly a gimmick from LastPass to make you feel more secure but it's not a problem really. A quote from them :

All sensitive data is encrypted and decrypted locally before syncing with LastPass. Your key never leaves your device, and is never shared with LastPass. Your data stays accessible only to you.

They claim that it's more secure because lastpass itself can't even know your master password since it will never receive it. But in reality, since they control the javascript, does it makes a big difference if they encrypt/decrypt locally or on their server? In general no. They could remove the javascript whenever they want to receive your master password directly if they want.

But back to the javascript... When their page is secure, an attacker cannot modify the javascript.If their page was insecure, an attacker could simply log everything that you type and steal your master password anyway. The use of javascript to encrypt/decrypt is irrelevant here, you just need to ask yourself if their page is secure or not and it probably is.

But, they do claim that is saved them from the heartbleed attack.

However, LastPass is unique in that your data is also encrypted with a key that LastPass servers don’t have access to. Your sensitive data is never transmitted over SSL unencrypted - it’s already encrypted when it is transmitted, with a key LastPass never receives. While this bug is still very serious, it could not expose LastPass customers’ encrypted data due to our extra layers of protection. On the majority of the web, user data is not encrypted before being transmitted over SSL, hence the widespread concern.

Source

in the question, he includes Firefox Sync as a component for apples-to-apples comparison — schroeder, Oct 23 '14 at 15:06
I find several of the LastPass claims to be questionable - firstly, if we assume a compromised OS, the two mechanisms (browser password store as well as LastPass) are completely compromised. At best, the window of opportunity is lower with LastPass (although that'd need some proving, too - how long does the unencrypted password hang around in memory?). Secondly, regarding not passing things "unencrypted" over SSL, your password will still need to be sent to the site you're logging in to. So, even optimistically, they don't seem to add too much. — Daniel B, Oct 24 '14 at 07:12
@DanielB About passing things unencrypted over SSL, I have my question on that too but what they are sending is an hash of your master password. Then on the server side this hash is most likely rehash then store in the database. The website password are encoded with the master password. If the first hash of the master password was to be stolen, it wouldn't help the attacker that much. Sure, he can probably crack the hash with enough computing power but that's it. — Gudradain, Oct 24 '14 at 12:56
@Gudradain Quite possibly, my point is just that with their method, there's 2 requests which can be intercepted, as opposed to only one (with the offline password stores). It doesn't matter how "secure" the additional request is, we still haven't increased the overall security of the situation. — Daniel B, Oct 24 '14 at 14:01

Is Firefox Password Manager less secure than LastPass?

3 Answers3