After hearing that LastPass was acquired by a private equity firm[1], I decided it might be a good time to start looking at other password managers. I remembered hearing about Firefox Lockwise. I’m a fan of Mozilla’s focus on user privacy, so I started researching and testing Lockwise.

在得知LastPass被一家私募股权公司[1]收购后，我认为现在是开始研究其他密码管理器的好时机。 我记得曾经听说过Firefox Lockwise。 我是Mozilla注重用户隐私的粉丝，因此我开始研究和测试Lockwise。

Note: I am not a security analyst. I am a tech savvy user who did some research and testing and figured I would share what I found. It doesn’t look like security researches have done much testing on Lockwise yet. However, Lockwise is open-source[2], so the code is available for analysis in the future.

注意：我不是安全分析师。 我是一位精通技术的用户，他进行了一些研究和测试，并认为我会分享自己的发现。 看起来安全研究尚未在Lockwise上进行过很多测试。 但是，Lockwise是开源的[2]，因此该代码可在以后进行分析。

In my testing, I found that using Lockwise with its default settings is significantly less secure than other popular password managers like LastPass and Bitwarden. However, with some setting adjustments and a workaround, it can be a decent alternative with many new features in the works.

在我的测试中，我发现使用Lockwise的默认设置比使用其他流行的密码管理器(如LastPass和Bitwarden)安全性要低得多。 但是，通过一些设置调整和解决方法，它可以成为具有许多新功能的不错选择。

安全注意事项 (Security Considerations)

• Lockwise uses the same encryption methods as other popular password managers, LastPass and Bitwarden[3][4][5].
  Lockwise使用与其他流行的密码管理器LastPass和Bitwarden [3] [4] [5]相同的加密方法。
• Passwords are encrypted before being sent to cloud storage, so Mozilla cannot see your passwords[3].
  密码在发送到云存储之前已加密，因此Mozilla无法看到您的密码[3]。
• Lockwise has the ability to configure a master password that is separate from your Firefox account password[6]. However, the master password is only for encrypting the passwords locally on your PC[7]. This can leave quite a security hole. I will discuss this later in this article.
  Lockwise可以配置与Firefox帐户密码[6]分开的主密码。 但是，主密码仅用于本地加密PC上的密码[7]。 这会留下相当大的安全漏洞。 我将在本文稍后讨论。
• Firefox supports two-factor authentication[8], so logging into Lockwise can require two-factor authentication, but unlocking Lockwise on a mobile device is a different story as that is tied to the unlocking of your device rather than your Firefox account.
  Firefox支持双重身份验证[8]，因此登录Lockwise可能需要双重身份验证，但是在移动设备上解锁Lockwise是另一回事，因为这与设备而非Firefox帐户的解锁有关。
• Lockwise cannot be configured to prompt the user for his/her Firefox account password every time it is used. Other popular password managers have this important security feature. There is an open issue on Lockwise’s GitHub to get this fixed[12].
  不能将Lockwise配置为在每次使用时提示用户输入他的Firefox帐户密码。 其他流行的密码管理器具有此重要的安全功能。 Lockwise的GitHub上有一个未解决的问题可以解决此问题[12]。

• Lockwise is open source[2]. Here is why you might want an open source password manager[13].

  Lockwise是开源的[2]。 这就是为什么您可能需要一个开源密码管理器[13]的原因 。

• Lockwise can be configured to work with Mozilla Monitor for additional security[3].
  可以将Lockwise配置为与Mozilla Monitor配合使用以提高安全性[3]。

其他注意事项 (Other considerations)

• Lockwise is only available as Android and iOS apps and through the Firefox browser. There is no Google Chrome extension or support[9].
  Lockwise仅在Android和iOS应用程序中以及通过Firefox浏览器提供。 没有Google Chrome扩展程序或支持[9]。
• In my own experience with Firefox browser, filling passwords with Lockwise is visibly faster than using LastPass.
  以我自己在Firefox浏览器中的经验，用Lockwise填充密码明显比使用LastPass快。

重大安全问题 (A Major Security Concern)

Firefox’s master password feature is a necessary feature for securing Lockwise, but it doesn’t quite do the job.

Firefox的主密码功能是保护Lockwise的一项必要功能，但是并不能完全解决问题。

Note: Testing was done on a Windows 10 PC running Firefox 71.0 and an Android 7.1.1 device running Firefox 68.3.0 and Firefox Lockwise 3.3.0.

注意：测试是在运行Firefox 71.0的Windows 10 PC和运行Firefox 68.3.0和Firefox Lockwise 3.3.0的Android 7.1.1设备上完成的。

主密码如何工作 (How the Master Password Works)

First, the user must enable and set a master password in his/her Firefox account security settings.

首先，用户必须在其Firefox帐户安全设置中启用并设置主密码。

When using the Firefox browser, the user is prompted to enter the master password every time he/she attempts to view or copy a password from Lockwise. The user is not prompted to enter the master password when Firefox auto-fills a password field on a website, but he/she is prompted to enter the master password each time the Firefox browser is launched.

使用Firefox浏览器时，每次用户尝试从Lockwise查看或复制密码时，都会提示用户输入主密码。 当Firefox在网站上自动填写密码字段时，不提示用户输入主密码，但是每次启动Firefox浏览器时，都会提示他/她输入主密码。

主密码的问题 (The Problem with the Master Password)

The master password is only for encrypting the passwords locally on the user’s PC. If an attacker gains access to the user’s Firefox account, the attacker could log into Firefox on a different device (where a master password was not set) and view all of the user’s saved passwords.

主密码仅用于本地加密用户PC上的密码。 如果攻击者可以访问用户的Firefox帐户，则攻击者可以在其他设备(未设置主密码)上登录Firefox，并查看用户所有已保存的密码。

This puts the user’s passwords at significant risk of compromise in the case of phone hijacking attacks.

在电话劫持攻击的情况下，这会使用户的密码遭受重大威胁。

In my understanding of phone hijacking, an attacker can get access to applications that the user had on his/her phone, and those applications may be logged into the user’s account when the attacker accesses them[10].

在我对电话劫持的理解中，攻击者可以访问用户在其手机上拥有的应用程序，并且当攻击者访问这些应用程序时，这些应用程序可能会登录到用户的帐户中[10]。

If an attacker gains access to the user’s phone, and the user has the Firefox mobile browser installed, and the browser is synced with his/her Firefox account, the attacker can view all of the user’s saved passwords[11].

如果攻击者可以访问用户的手机，并且用户安装了Firefox移动浏览器，并且浏览器已与其Firefox帐户同步，则攻击者可以查看用户所有已保存的密码[11]。

With a standalone password manager like LastPass or Bitwarden, device compromises, such as phone hijacking, aren’t as much of an issue because the password manager application can be configured to require password entry every time the user wants to use it. Lockwise cannot do that yet.

使用独立的密码管理器(例如LastPass或Bitwarden)，设备妥协(例如电话劫持)就不再是问题，因为可以将密码管理器应用程序配置为每次用户想要使用密码时都要求输入密码。 Lockwise还不能做到这一点。

When a user syncs Firefox to his/her Firefox account, it typically remains logged into the account indefinitely. If somebody gets access to the user’s device, they are also more likely to get access to the saved passwords.

当用户将Firefox同步到他/她的Firefox帐户时，通常会无限期地登录到该帐户。 如果有人可以访问用户的设备，那么他们也更有可能访问已保存的密码。

可能的解决方法 (A Possible Workaround)

It is possible to create two separate Firefox accounts — one that is used exclusively for Lockwise, and another for the web browser, but this would be far more inconvenient than using a standalone password manager. It would also come with the risk of accidentally saving passwords to the wrong account or logging into the wrong account. Additionally, because Lockwise doesn’t have a timeout feature, the user would need to manually sign out of Lockwise every time it is used to prevent Lockwise from staying logged in.

可以创建两个单独的Firefox帐户-一个专用于Lockwise，另一个用于Web浏览器，但这比使用独立的密码管理器更为不便。 也可能会导致密码意外地保存到错误的帐户或登录错误的帐户的风险。 此外，由于Lockwise不具有超时功能，因此用户每次使用Lockwise时都需要手动退出Lockwise，以防止Lockwise保持登录状态。

我会使用Lockwise吗？ (Will I Use Lockwise?)

If I was only going to use my passwords in the Firefox web browser on a PC, Lockwise would make sense. I would configure a master password on Firefox and feel reasonably secure. However, I typically want my passwords to be available on mobile devices and in Google Chrome as well.

如果仅在PC上的Firefox Web浏览器中使用密码，则Lockwise会很有意义。 我会在Firefox上配置主密码，并感到相当安全。 但是，我通常希望我的密码在移动设备和Google Chrome中都可用。

Unfortunately, Lockwise is either unavailable or not quite secure enough when it comes to anything but Firefox on a PC. For those reasons, I will not be using Firefox Lockwise.

不幸的是，除了PC上的Firefox之外，Lockwise要么不可用，要么不够安全。 由于这些原因，我不会使用Firefox Lockwise。

If Mozilla further segregates Lockwise from Firefox and adds a few more security features, I will reconsider because I am generally a big fan of Mozilla and its products.

如果Mozilla进一步将Lockwise与Firefox隔离开来，并增加了一些其他安全功能，我会重新考虑，因为我通常是Mozilla及其产品的忠实拥护者。