135 comments

[ 3.0 ms ] story [ 208 ms ] thread
Ah, you got me by a minute to submit.

This is a bummer but not surprising. There have been a number of outstanding bugs that were never addressed and releases were slowing down - even when github commits were getting backed up.

Please do elaborate. Also, does this leave users in the lurch, or will an updated Firefox satisfy all the use cases of Lockwise? Thanks.
Current Firefox on Android supports prior lockwise use cases, from what I can see and what was reported in the comments here. You might have to toggle it on first though.
well that's a little annoying. apparently this was published a few days ago and i guess we just all got the email.

they mention continued pm support for ios, but not android? is that discontinuing?

edit: android pm support is integrated too

I discovered recently that Firefox itself can work as a password manager on Android. I had Lockwise installed so that I could use Firefox saved passwords in other Android apps, and now it turns out Firefox can do that directly.
The implication being that lockwise is discontinued because its use case has been subsumed by Firefox?

If so, that's a thankful addendum to this announcement.

Edit: yep, in settings, logins and passwords, there are two toggles, one to allow Firefox to fill in passwords for web pages, and one to allow Firefox to fill in passwords for other sites, which takes you to the Android password manager selection section.

Yeah, and it sounds like the same will be true on iOS sometime in December. Not sure why they'd announce the discontinuation now instead of just waiting a few weeks until they have a drop-in replacement available, though I guess it is just for one platform.
I use Lockwise but not for other apps. Does anyone know the details about how one app would fill in passwords for another on Android? That capability seems...powerful and dangerous.
https://developer.android.com/guide/topics/text/autofill

Basically: when you focus an input textbox Android asks the service for autocompletion, and then you can choose one of the options which is entered as if the user has typed it. The service already has the password, and the destination app can only get it when you select it (same as if you write it yourself).

In the opposite scenario when you enter data in some inputs Android asks the service if it is interested in them (but without sending the content). If it does, it asks the user, and only when the user accepts the password/content is sent to the service.

In any case, you need to explicitly choose if you want to use or change a service for this purpose, and only one can be enabled at any time.

I never used Lockwise because of this existing functionality in the main app.
Oh awesome, thanks. That changes this submission from 'what agh no why' to 'ok meh no problem'(/'good'!) for me.
That’s really a shame. I’ve installed Lockwise for my parents on iOS because it was the simplest way to use their Firefox passwords on the computer and on iOS devices. They don’t need something as complicated as Bitwarden or Lastpass, just a simple password manager. Sure, I can install Firefox on their devices, but that’s an icon more they won’t understand.

Can’t say I didn’t see it coming. Lockwise was full of bugs and hadn’t been updated for quite some time.

What's complicated about Lastpass/Bitwarden?
But to access the same functionality with Firefox in android I have to go into 3 levels of menus or I'm wrong. Very annoying ...
Installing a separate app and signing in on it sounds a lot more cumbersome
It is one time install, and signing in just after restart. used for autocomletion in apps. With just firefox I won't have that.
It actually presents itself seamlessly in context menus using the fingerprint unlock or phone unlock code.
I am not happy about this. I like having the standalone Lockwise app on my Android phone as a password manager.

When the app is discontinued, will I still be able to use autofill in other apps?

And what about the apps where autofill doesn't work? Having to open my browser for every password I need to copy on my phone just seems clunky and stupid.

I'm so fucking sick of Mozilla breaking their UX flows for every damn thing. Just keep the app!

> When the app is discontinued, will I still be able to use autofill in other apps?

Yes on Android, I have no knowledge of iOS. Just go into the Settings -> Logins and Passwords -> Autofill in other apps.

> Also, having to open my browser for every password I need to copy on my phone just seems clunky and stupid.

You don't (at least for Android), the functionality of Lockwise appears to have been replicated in Firefox. There's a toggle in the logins and passwords settings section of Firefox to allow it to fill in passwords for other apps.

Apparently they're rolling it out in iOS next month, according to the article (as jdlshore pointed out).

Fantastic! I never liked having another app for passwords so I removed lockwise as soon as Firefox (the new one) got password support but was never aware that it grew autofill support!
I'm not sure how great this is, though, from a security perspective. When I select Firefox as my autofill provider on Android, I get this message:

> "Make sure you trust this app"

> "Firefox Beta uses what's on your screen to determine what can be autofilled."

So, unless I'm mistaken, it sounds like the OS gives the selected app special privileges to read what's on the screen (at all times?). I would much rather have a standalone, single-purpose app doing this than a gigantic browser. The former is much easier to secure.

Basically. It receives a stream of accessibility data, so it can decide what is auto-fillable and what isn't. I'm not sure how much content that actually contains, but the app / UI structure / many other details are definitely in there.
Same. I use Lockwise on iOS. The tone of the email I've just received about this from Mozilla makes it sound as if they've done something wonderful and they're giving themselves a pat on the back which is even more maddening.
Very annoying. I use Firefox, but I also loved Lockwise as a general password manager for other apps. What's the next best?
Lockwise was far from the best -- probably closer to the bottom. So literally anything else would probably work just as well.

One of the best free (as in beer) password managers is Bitwarden.

Firefox > Settings > Logins & passwords > Autofill in other apps.

Happy to discover this via another comment in this thread myself!

Why oh why this isn't clearer (or mentioned at all for Android) in the PR I have no idea. It makes a scary/annoying thing tame/nothing.

I suppose we missed the earlier 'deprecated, switch to this' memo?

Doesn't seem to be an option on iOS?
It is my understanding that Firefox itself will work as general password manager for other apps.
Extremely happy about this. Mozilla has one job: building a browser. Half baked apps like Lockwise are a waste of everyone's time, including theirs. That's why they're failing terribly at their one job.

Hopefully we see more culling of similar products and so that the engineering budget can steer back towards building a better browser and hopefully working back towards having a decent slice of the market.

Before everybody gets up in arms from the headline, they're just moving/keeping this feature into the Firefox browser. The article says:

> Firefox for iOS will already sync your saved Lockwise passwords. You can currently only use those inside Firefox. Check back for updates in December 2021 on how to use Firefox for iOS as your system-wide password manager. [It's already there on Firefox for Android.]

The title should honestly be changed into something like "Firefox Lockwise integrated into Firefox, standalone version to be deprecated"
@dang yes please!
"@dang" doesn't do anything special. The most expedient way to reach the mods is to email them using the Contact link in the footer.
Their messaging was pretty poor here imo. The email they sent me gave no clear indication that Firefox would have this ability in it's body.
Ditto. I came to HN after seeing the email, looking for the best way to migrate my passwords out of Lockwise.

Well, still looking. They are outta here.

Keepass + your choice of file sync. Keepass's database has file-based locking so it's safe to sync just via filesystem.

I like KeepassXC one Android and MacOS; Keepassium free-tier on iOS works great. On Android you can use syncthing, but syncthing doesn't work on iOS, so I use NextCloud to sync everything now.

Keepass2Android supports Dropbox, Onedrive, and a few other ways of direct sync. https://play.google.com/store/apps/details?id=keepass2androi...

For Windows 10/11 users who use a MS account, put a portable copy of Keepass on OneDrive and it'll be there right after a fresh reinstall plus sign-in, and you can access it from the Android app using OneDrive sync built into K2A.

Keepass2Android also supports webdav, http, ftp, sftp and nextcloud directly
For iOS I can also recommend Strongbox.
For Syncthing on iOS there is Möbius Sync. However, it struggles with background updates (due to iOS restrictions).
Bitwarden is my goto. If you're the selfhosting type bitwarden_rs (now vaultwarden) is free and easy to setup. If not BW's cloud hosting is also fine. Vaults work offline just fine, apps on every major platform, biometric unlock if you care about such things, and autofill on browsers/ios/android. And they have a snazzy officially supported CLI tool.
And if you pay $10/year, it has 2FA as well. And you can add notes and such. It's definitely worth using (and paying imo).
Wait so it lets you store your 2FA secrets and your password in the same place? That sounds counterintuitive.
It's super useful for a few sites I visit frequently who require 2FA but I don't need that security. But yeah, otherwise it's a pretty remarkably bad idea.
When you sign in to a website from your phone using a saved password and use that same phone for 2fa, it's pretty much the same thing.

The whole meme that saving the 2fa seed to password managers is a bad idea needs to die. Most of the advantages of 2fa are still present when using a password manager.

It's the other way around. Literally all of the advantages of using 2FA are not present when you store both factors together.
You are wrong. The primary advantage of 2fa is the OTP part, which wards against keyloggers and password reuse.
Unless of course the keylogger also has access to the OTP.

If your device is compromised, your device is compromised.

It doesn't matter what the advantages of 2FA are. You don't have 2FA ("two-factor authentication") if your factors are stored together.

No-one seems to ever mention LastPass for some reason when this comes up. It's a complete solution, locally-encrypted, backed-up to the cloud, auto-fill, apps, all platforms, etc.
Not open-source, 3rd-party trackers in the android app, no easily accessible 3rd-party audits (that I can find), an unintuitive UI (no easy 1-button copy, clunky item entry*, etc.), and roughly 1 security incident every 1.5 years.

Are they the worst? No. Are there better ones? Yes.

*The number of people at work which put their username in the URL field is astounding. We also have people saving personal passwords into shared folders without realizing it. This speaks to UI issues.

These are the first paragraphs of the email I got:

> On December 13th 2021, the Firefox browser will be officially "resorbing" Firefox Lockwise. Don't worry, all your saved Lockwise passwords will still be available through the Firefox browser using a Firefox account.

> The Firefox Lockwise app will no longer be updated and supported by Mozilla and will not be available in the Apple App and Google Play Stores. After that date, current Lockwise users can continue to access their saved passwords and their password management in the Firefox desktop and mobile browsers.

It seems pretty clear-cut to me.

i am not sure this is the same, lock wise let you fill in passwords on any application not just in the browser
It is the same; I'm using Firefox Nightly to prefill passwords in other apps.
It's the same, I panicked at first then found the setting thanks to a fellow commenter. Search my name in this thread and I detailed it in response to someone else.

Sibling says it's working in Nightly -- I'm using the regular stable release on Android and it's there. Haven't even updated it for a few weeks at least. (I just didn't know it existed before now, I was using Lockwise.)

All in all it makes sense tbh - Lockwise used FF account and sync... Who would have one with synchronised data and not be using FF on their phone (esp. Android) anyway?

If I got an email, I haven't read it yet. But I have seen this on the site via HN (make of that what you will...) and it's completely unclear. It says the functionality is coming to FF for iOS in December, but fails to mention that Android already has it (doesn't mention it at all) or if there are any differences at all to be aware of.
Where does that say that it will autofill?
That email could be true if Firefox has autofill and if it doesn't. They only say you can access you passwords via the browser. They should have explicity mentioned that the browser now replicated thr autofill functionality of lockwise.
(comment deleted)
What does this mean for iOS Lockwise users who use it as a system-level password manager? Will we be able to use Firefox for the same purpose?

I had to switch back to Safari from Firefox on iOS because the latter had so many issues and missing features by comparison. Lockwise was the only solution from a developer I trust for syncing passwords between Ubuntu and iOS, and iCloud passwords are unavailable on Linux.

I really hope iOS Firefox is updated to support system-level password management!

TFA answers your question.
Could you elaborate? I'm not sure what TFA stands for in this context. If you meant 2FA (two factor authentication), that doesn't solve the problem of managing passwords.
TFA = The F*cking Article, a version of RTFM, basically.

> Note: Firefox for iOS will already sync your saved Lockwise passwords. You can currently only use those inside Firefox. Check back for updates in December 2021 on how to use Firefox for iOS as your system-wide password manager.

Oh, I see that now. I could have sworn that wasn't there when I read the article initially? In any case, I'm glad iOS users will still have that functionality!
Based on all the other confusion in this thread, I wouldn't be surprised if it wasn't.
(comment deleted)
It's great that Mozilla is stopping something it's not at all good at and isn't its main strength.

What is worse that it keeps doing such things - starting and then killing services one after another; and never learns. So in the end it's nothing great.

Another Mozilla project bites the dust.

You have one job: Build Firefox. Drop the side projects.

Unless the side projects have a future version of Firefox in mind.
I know I'm being a bit naive, but I trusted them more than any other random "free as in beer" password manager service...I didn't mind too much the rather miserable mobile experience, as long as it got the job done.

That's bad Mozilla. Lockwise was the reason I started donating.

It's sad to see a simple password manager go. Even if it's integrated inside Firefox most users will probably look elsewhere (Bitwarden, Keepass). I use the later, the file db works great and its easy to move between devices when needed.

Also, donations to Mozilla go to the foundation instead of the corporation. The only way to give them some useful money is paying for the services they sell like the VPN service (but also don't forget that Mozilla is just a Mullvad reseller).

When do we fork Firefox because Mozilla is a failure at their job?

They've managed to lose almost all their market popularity, mobile Firefox share is almost nonexistent, they pay their executives extremely disproportionately compared to most nonprofits, they have expanded into countless failed side projects (Firefox OS, Firefox Send) and vestigial side projects they aren't good at (Pocket, Firefox Focus, Firefox Reality, Firefox Lockwise, Firefox Monitor, Mozilla VPN) which only serve to distract Mozilla from working on Firefox.

And since then they've now decided they are an NGO fighting for the Freedom of the Internet or something, even though all Google has to do is pull royalty funding because Firefox's market share is not worth supporting for how small it is, and their entire operation will fall overnight like a house of cards.

Once their market share is so small that it doesn't protect Google from the next round of monopoly discussion anymore, they'll probably pull the plug anyway. It's a shame.
Mozilla is out of their minds to think that paying their top executive $2.4 million per year for 2018 onward (and rising exponentially, it was "only" $1 million a year in 2016) is a good idea.

It's egregious by average nonprofit levels, particularly one that advocates "ethics" like Mozilla, and considering they laid off a major part of the development team, that's like 20 developers.

Hiring 20 developers to work on your core product so that Google keeps paying you, versus raising the top executive's pay for absolutely no good results other than adding failing side projects. Insanity.

The CEO and other executives are looting that company before it collapses. It's obvious, and Mozilla will fold in the next 5 years. They will probably replace their own engine with Chrome before that and fire the team in charge, and see the CEO compensation double at the same time.

Mark my words.

Not sure what you are writing regarding Firefox Send and Lockwise. They are/were good, or at least good for me.
They are decent - but they are undermining the development of the Firefox browser by consuming lots of precious time and money which is not what Firefox needs right now.

Remember that Mozilla get's 90%+ of its funding, not from donations, but from Google for being the default search engine. Firefox's market share is now ~4%, dangerously close to where Google might decide that the payout isn't worth it. And close enough where Google thinks they could stop payments without causing any antitrust ire because it's such a small percentage it doesn't make any business sense.

You would think Mozilla executives would take that as a sign that their funding and core product is at stake and they need to double-down on it. Instead, they fire engineering teams and spread into the many side projects in a desperate attempt at diversification that isn't working.

I get where you're coming from, and I would also love to have more work put into Firefox, but development speed has precisely nothing to do with why it's lost so much market share. Nobody is choosing a browser because of feature checklists. The average user has Chrome because it's the default on Android and ChromeOS, and on everything else a helpful notification tells you that your browser sucks and you should get Chrome as soon as you google something, or check your email, or watch a video, or open a document. It's the strongest software marketing in history and short of antitrust legislation I don't see any way for Mozilla to compete.
Maybe when Firefox was at 33% and Google was just starting to gain major dominance in Chrome, Firefox should have realized the game was changing and tried blocking ads for Chrome or even lying to Google properties that it was Chrome (as Microsoft Edge now is capable of even though Microsoft AFAIK hasn't flipped the switch).

If Google complained, Firefox could say it was a response to anticompetitive behavior. Google would then be a catch-22 where if they cut Firefox's default search funding, they would be inviting lawsuits and investigations. It wouldn't be a healthy relationship but it would have given Firefox a stronger footing than right now.

But Firefox just naively believed adding more fluff like Pocket and paying their executives ludicrous sums of cash would do the trick. You can't do that - you need to get into the mindset that Google wants to kill you and has the power and brand to do it, so you need to fight and stop the bleeding or get killed.

"lots"

But are they? I doubt you actually have any special knowledge of this. They don't seem to me like they would require so much resources.

It's an open secret if you want to look around. For example:

https://calpaterson.com/mozilla.html

"Sadly Mozilla's annual report doesn't break down expenses on a per-project basis so it's impossible to know how much of the spending that is on Mozilla's programme is being spent on Firefox and how much is being spent on all these other side-projects.

What you can at least infer is that the side-projects are expensive. Software development always is. Each of the projects named above (and all the other ones that were never announced or that I don't know about) will have required business analysts, designers, user researchers, developers, testers and all the other people you need in order to create a consumer web project.

The biggest cost of course is the opportunity cost of just spending that money on other stuff - or nothing: it could have been invested to build an endowment. Now Mozilla is in the situation where apparently there isn't enough money left to fully fund Firefox development."

Personally I like Pocket although there are certainly places where it could use improvement.
Last time I tried it you couldn't update titles. Which is very limiting. Some web pages have great titles and other web pages don't.
Wanting to update titles is so out of my usage scenario for Pocket that I wouldn't even think about it.
There is exactly zero chance of maintaining an up to date, reasonably fast and secure browser without a large, dedicated team of highly qualified developers. Good luck with forking...

Mozilla has definitely failed with most of their side projects, many of them really redundant. And shutting them down is really bad for their reputation.

But they also need to find some funding source that doesn't make them beholden to Google or Microsoft. They have been desperately trying to do that.

Ignoring the fact that many of those side projects probably took one or two part time devs, with the vast majority working on the browser ... only working on Firefox won't get them any revenue.

And no, a subscription model probably won't work. As things stand they would need maybe 30-40 million subscribers paying 10$/year to match Googles money. That's never happening.

"But they also need to find some funding source that doesn't make them beholden to Google or Microsoft. They have been desperately trying to do that."

I agree. How about we do some executive cuts at Mozilla then? $2.4 million for the top exec over there, maybe to $300K or so which is closer to average for a nonprofit, would be a free $2 million per year. It's not like those executives have been successful in any way to merit that cash.

I'm just stuck with that, I want Firefox to succeed, but the leadership has real problems. And they need cash flow, but side projects aren't doing it, so double-down already on your success and try to claw back slowly - don't flee from what's working.

Maybe even Fight Dirty. I have never figured out why Firefox doesn't pretend to be Chrome on Google websites or try to hide the "Download Chrome" or "Unsupported Browser" popups. Microsoft doesn't care in their quest, Firefox shouldn't either.

I agree the top execs could be paid less but it’s still a rounding error in their overall funding. It would be a symbolic gesture, welcomed by many. But it wouldn’t make a massive difference.
While I agree that the CEO's pay seems unreasonable, let's not pretend it's a singular factor that's going to make a significant dent overall.

The best thing people can do is simply use firefox; the longer we avoid a chromium monoculture; the better - and while mozilla the corp may suffer, as long as the userbase doesn't entirely vanish, they might survive based on the scraps microsoft or google throws them.

Don't get so hung up on that salary. Managing a 400 million + revenue company with 700+ employees is a big job with lots of responsibility and legal liability. Considering what US developers make, 2 million is not a lot of money for that job in SF and perfectly fine for a qualified CEO.

Mozilla did not find a qualified candidate and had to make due with a weak one, probably in part due to the low compensation.

> When do we fork Firefox because Mozilla is a failure at their job?

When we can and will do better.

FWIW, I heard Mozilla is offering full refunds to everyone that purchased Lockwise, which is way better than you'd get from any for-profit company.

Full refunds? I get the ethics - but that means that this entire experiment was a very, very expensive failure that only caused a net loss to the brand and Mozilla's finances. Heads should roll in management, but they won't.
>was a very, very expensive

Why do you keep pretending to know this?

It doesn't take much math to know that Engineering Hours + 100% return of all money made + Damages from having money and then not having it + Labor and processing and lost credit card fees = Expensive experiment.

Also they laid off a major Firefox engineering division because of tight funds. You can't tell me that the side projects didn't have something to do with that.

But Lockwise is free. Was that the joke?
Yup, I was poking fun at the entitlement people feel toward FOSS developers who release free products.

Amusingly, the person railing against Mozilla didn't catch that it's free and used "the refunds" as an additional talking point against Mozilla.

Fork it. Nobody’s stopping you.
> mobile Firefox share is almost nonexistent

Apple uses anti-competitive tactics to prevent Firefox from competing fairly with Safari on iOS, and Google uses anti-competitive contracts that mandate that Chrome ships on the devices Android vendors sell.

This sucks. From the outside, Mozilla management just seems incompetent, killing good product after good product while not launching anything worthwhile to replace them.
Whoops - appears I overreacted in this specific case, the feature just seems to be moving to the firefox app on Android, didn't catch that from the announcement.
Very sad to see Lockwise being sunsetted. It provided good basis for new product that actually could be a competitor to 1password. However, I felt in guts it will have problem with traction, because it seemed too opinionated for me. I have noticed some people wanted to use Lockwise just like a password manager. However, by a long time it was a read-only client for Firefox Sync. No silly OTP calculator to cover Google Authenticator logic. It also didn't support custom Sync Servers, which made a bad taste for very advanced users. Mozilla is losing yet another niche, where Lockwise could be a profitable, open-source full-featured product.
The functionality as been subsumed into Firefox.
This is so so so sad. I use firefox as my main browser and lockwise was so much useful when I needed to log into something on my phone. Very disappointing.
For anyone looking to stay on an open source solution: Keepass databases, synced using whatever sync tool floats your boat (syncthing, Nextcloud, iCloud etc.)

On Android I used KeepassXC and syncthing.

After switching to iOS: Keepassium + NextCloud.

It appears that the Mozilla project is not just copying Chrome's look and feel for browser releases, but also copying Google's strategy of launching things and then abandoning them.
(comment deleted)
It would be really great if, when announcing the deprecation with a firm date, they would also announce a firm (preferably earlier) date for the replacement iOS Firefox functionality.
For iOS users, while autofill doesn't seem to be added just yet - passwords are available from the hamburger menu in Firefox, as well as adding, viewing, and managing passwords within iOS.

Mozilla has stated that they will add the autofill functionality to Firefox for the system-wide use.

> Check back for updates in December 2021 on how to use Firefox for iOS as your system-wide password manager.

It looks like they are working on integrating this functionality into the main Firefox apps, which makes more branding sense anyway. As it was the password management was just a feature of the browser on desktop, but a whole different product with its own brand name on mobile.

I try to give Mozilla some benefits of doubt and wasted 5 min trying to search for an official note, PR , blog or something that provides more detail, in a simple and clear manner to explain the situation.

They could have worded it as All Lockwise functions being integrated into Firefox, iOS version coming in December.

Nope, this is it. Or may be it is me being dumb. But judging from some comments here this support document is extremely unclear.

Which is very typical of modern day Mozilla.

Why is this so infuriatingly common with them? Is there a place for learning about their decision-making process? I'll take crumbs at this point to make some sense of it.
It is very common and typical of any organisation ( so not just Mozilla ) which are low in morale and dysfunctional, lacking real leadership and customer care.

It is just human nature.

Little sad writing this since I followed Firefox before it was called Firefox.

They have send out an mail explaining all this. Not sure who got the mail, I guess lockwise-users?
Yeah, it's poor messaging.
(comment deleted)