Firefox built-in password manager (local only) vs external password manager

Hello,

I searched in the forum and the website about this topic but it seems that it is mostly about online password managers and syncing between devices. This post is just about one local password store. The recommendations page is a bit vague about built-in password managers.

I have one computer that I use for logging in to accounts. So I do not need any feature about syncing my passwords between different devices. What are the security benefits of using an external password manager like KeePassXC instead of the built-in Firefox password manager with a primary password? And what might be the security benefits of using the built-in password manager?

I don’t know how separated from the rest of the application the Firefox passwords are. So how secure are they, if there is a vulnerability in another part of the browser? In that case it would be probably better to have an external password manager. On the other hand the browser gets every password I type in it anyway. And then I would have to trust the external password manager and the browser and the connection between them (clipboard, browser plugin, …).

What would you recommend and why?

Thanks!

I use both. The Firefox password manager for websites I frequently log into (my settings flush everything when the session ends), and KeePassXC for everything else including a copy of what Firefox has. On mobile (Android) there is a corresponding app (KeePassXD), and the database is shared over the network.

Is there an easy way to backup those Firefox passwords?

With a password manager, I store a lot of metadata about the entries. Such as which alias I’m using with them, the TOTP key, maybe backup codes, extra security words, account numbers, account passwords, and even files. Then with the .kdbx file, I can send one to a family member and also to my work account for backups beyond my local backups.

While browser password managers came a VERY LONG way, where they now finally have decent encryption in place, IMO it is still a bad idea to use it, primarily for 3 reasons:

1. OPSEC, unless you explicitly configured, otherwise by default whoever have access to your browser will also have access to your passwords.
2. Browser itself is a huge attack factor, I wouldn’t keep such crucial information on it.
3. Standalone Password Managers are much more feature rich and portable than browser password managers, for instance, I keep a bunch of documents in it, some people also use it as address book.

However, even if you use standalone password managers, you still need to properly configure password manager, browser, and the addon for security reasons.

Usually, the principal consideration is how the browser password manager protects your secret vault on disk (and in the cloud). If it’s encrypted, where does it get the decryption material? By default, for major browsers including Chrome, Edge, and Firefox, the decryption material is stored persistently on disk, protected by some OS API (and some in the cloud). The problem is that malware running on your system can access those decryption processes as well. Additionally, without E2EE, browser password managers may not resist inspections from cloud providers.

Firefox has the option to enter a primary password on startup, which can conceptually protect against this scenario. The issue is that the Key Derivation Function (KDF) used to derive an encryption key from your password is usually weak for the consideration of slower devices, and it cannot be adjusted. It would be a step in the right direction if you used a password with entropy commensurate with the KDF function that such browser managers use. However, for Firefox, unless you look it up in the code, it’s difficult; you cannot find agreements from forums (and LLMs) about the number of iterations used for its PBKDF2 function.

On the other hand, for KeePassXC and Bitwarden, and presumably some other third-party password managers, the KDF can be adjusted, allowing you to use a more manageable password while still remaining secure. For example, Bitwarden’s forums often suggest using 4 randomly generated passphrases with the default KDF that Bitwarden employs. This is more manageable in terms of memorization, recall, and typing than the typical 6-word passphrase that is usually recommended.

The second consideration for more security-conscious individuals is: once you enter the password (or something equivalent), are your secrets stored as plaintext in memory? For Firefox, it is most likely yes. For other browsers that can be set to ask for biometric authentication, the passwords themselves are probably encrypted, but the rest of the “metadata,” such as email and the URLs/domains of the websites, is most likely unencrypted.

For third-party password managers, including Bitwarden and KeePassXC, all the information in the vaults is encrypted until you unlock it. This means the secrets you have while locked are practically invulnerable to memory dumps, app crashes that result in memory dumps, and process attachments for debugging.

How are browser password managers sometimes better than third-party password managers? They offer ease of use and the ability to autofill credentials on more sites.

TL;DR: If you can deal with the technical complexities to keep your password managers safe and accessible, third-party password managers are recommended. If not, browser password managers, when run properly, will protect you from password reuse (and credential stuffing) and help resist phishing. BUT: 1) strongest 2FA everywhere is recommended, and 2) it’s CRITICAL to stay away from malware, phishing, and scams.

It depends. Unfortunately, you’ll hear a lot of nonsense about this subject. Polymer7229’s post is pretty much on point, though. The only password managers I would personally recommend are KeepassXC and Bitwarden because, to my knowledge, these are the only ones that let you tweak KDF parameters. I’d still recommend KeepassXC because Bitwarden’s client is a wrapped web application, which makes deterministically managing memory pretty much impossible because ultimately, the garbage collector decides.

As for browser integrations, if possible, I would not use them at all because, as Polymer7229 already mentioned, browsers make huge attack vectors. But if you really want browser integration, I’d actually recommend using your browser’s password manager instead of combining 3rd party password manager with a browser extension – these extensions, pretty much all of them, have a horrible track record. I would recommend this blog article by Travis Ormandy, who used to be a security researcher at Google.

But again, I advise against any kind of browser integration. Also, these days you can comfortably use passkeys on Smartphones, Macs, and Windows. Unfortunately, Linux still lacks support (at least in combination with TPMs) there.

Edit:
Remember, KDFs buy time; they don’t substitute for good, random passwords.

Thanks for the answers. I’ve read this blog article and it is kinda one reason why I opened this topic as the author recommends the built-in password manager if someone wants an online password manager. But I also saw several critical comments about it in this forum.

I will do it similarly to @Tux then. I will not store my passwords in some cloud or sync them via the internet between devices but just have them stored on one computer at home with an encrypted drive that is turned off when I’m not using it.