Are your login details out in the wild? Have you opened an account on a website that’s probably been hacked? Mozilla wants to let you know. The latest version of Firefox includes a useful batch of new features designed to beef up password management and related security.
Firefox 76 for Windows, Mac and Linux launched on 5 May. The headline changes are focused on Lockwise, Firefox’s inbuilt password management feature. These include the following:
- Vulnerable password alerts. These notify you of passwords that match those that have been stolen in a known breach.
- Website breach alerts. With these, you get a warning if a website you use has been subject to a breach, meaning that there’s a risk of your logins and passwords being exploited.
Here’s a closer look at Firefox Lockwise, and at what’s changed in the latest release…
Add a header to begin generating the table of contents
What is Lockwise?
It started life as ‘Lockbox’. When it first arrived, this was basically just a handy way to view saved passwords within the Firefox browser.
At the end of 2019, Lockbox was rebranded as Lockwise, and its capabilities were boosted: e.g. you could use Lockwise to create new password entries and edit & delete old ones. It still didn’t match the features you would expect from a full-fat, dedicated password manager tool, but it was a useful addition, nonetheless.
Firefox 76 includes further enhancements to Lockwise. These are as follows:
Added access protection
- Let’s say you leave your desk for a moment with Firefox open on your screen. With previous Firefox versions, there was nothing to stop a snooper from heading over to your Lockwise page and viewing your saved password/login details.
- Firefox 76 minimises this risk by adding an additional authentication prompt.
- When you try to view or copy a password from the ‘Logins and Passwords’ page under your Firefox account, you will be asked to give the password for your device’s account before proceeding.
- With the password added, your credentials are available to view and copy for up to 5 minutes.
Notifications for breached and vulnerable passwords
- Note: for these features to work, you’ll need to create a Firefox account. To make sure that your logins are captured, go to the Logins and Passwords page and check the box for “Ask to save logins and passwords for websites”.
- Breach notifications are located via the Lockwise dashboard. A list of logins appears on the left side of the screen. Firefox 76 introduces two new icon indicators that appear next to the relevant website address on the list in the event of a security issue.
- The Vulnerable Password alert tells you if the password you are using on that particular site has been used on another account that was likely subject to a data breach. It warns you that reusing your passwords puts all your accounts at risk and advises you to change the password.
- The Website Breach alert notifies you that credentials were leaked or stolen from that particular site since you last updated your login details. It provides you with details of the date of the breach and advises you to change your password to protect your account.
Password generation tool
We know we shouldn’t do it, but around two thirds of us recycle the same passwords across multiple accounts. Part of the reason is because we want an easy life. Coming up with fresh, memorable passwords with a minimum of 12 letters, numbers and symbols is a hassle.
Most dedicated password manager tools include a password generator to help you with this. Now, Lockwise includes this feature, too. When you’re creating a new account, Lockwise will offer to generate a safe and complex password for you, and save it directly to your browser.
Where does Mozilla get its information about website breaches and compromised passwords?
This information comes from Have I been Pwned, an open access platform that logs breaches and allows people to check if their personal data has likely been exposed.
Does this mean I don’t need a separate, dedicated password management tool?
Dedicated tools such as LastPass, RoboForm and NordPass come with additional features. These can include things like support for multiple devices and browsers from a single account, the ability to add additional authentication layers and secure document sharing.
It depends what you are looking for. If Firefox is your browser of choice and you just want basic password management capabilities, Lockfire is a useful tool to have.
Then what happened when a someone get the firefox account and there data like logs ??
I’m not sure what you mean about logs. But is having a password manager built into your browser a risk. Yes it is. But it is less of a risk that using bad passwords and reusing passwords. If you you dont want a password manager in the browser (which is a fair thing) then use keepass or masterpassword.
Hello Nathan, I am a cybersecurity enthusiast, and this is your first blog which I have read; you have very well explained firefox’s inbuilt password manager feature!! Thanks for sharing this information!!
Worth to explore Keepass which is to me the best password manager. I am using this from more than 8 years now. Offline, can be used across multiple computer if synchronized across syncthing or spideroak (you can choose any other zero-knolewdge provider). Associated to a passphrase to open the Keepass database. Worth to try the hassle 🙂
KeePass has a lower attack surface to browser based password manager but less convenient. Also lower attack surface is http://www.masterpasswordapp.com/
Interesting concept for password generation.
Yes I think so too.
I like the blog post! Explains the feature in FireFox quite well and explains why you’d want to use it.
My preference though is still to use a 3rd party password manager and not a built-in one in the browser. My main reasons for doing this is if there is cross browser password management. I use different browsers for different purposes on different devices. On my phone, I find Chrome has problems with some pages where they will stop updating the display (ie it is still scrolling, but I need to hit home and go back into Chrome to get the page to show where I scrolled to). Plus, some apps have username and password pairs as well as web interfaces.
Therefore, my opinion is that password managers baked into a web browser are mostly useless. By using a 3rd party app, you can log in to almost any mobile application without needing to have an insecure password or loading up firefox to get a copy of the password.
On top of that, if there is a flaw in how the browser is storing the passwords, an administrator on the computer (for example in a corporate environment or a shared home computer with multiple admins) may get access to your passwords. The 3rd party tools are vulnerable to that as well, but if the primary purpose of the tool is password management, they are more likely to patch the problem than a web browser which has a primary purpose of browsing the web.
Sites like have I been pwned allow users to sign up and put their email address in and get notified without the need to download, install, and configure another tool. Plus if you decide to stop using FireFox and instead use Edge or Chrome or whatever, you still get the emails.
I do have my preferred password manager, but I am not here to advertise so I’ll keep it off of my post.
Great post! What do you think of Brave browser plus Bitwarden? I found it to be quite good, maybe even better than Firefox. Thanks!
Thanks, Nathan. Interesting read and good to get the additional interpretation of the functionality.