Password managers are a dime a dozen. There seems to be something for every taste and purse. However, the quality, level of comfort and security often differ — even though advertising always promises the best of the best. Popular representatives from the commercial sector include 1Password or Lastpass. In the open source area there are, among many other options, the popular representatives KeePass and Bitwarden.
密码管理器一角钱。 每个口味和钱包似乎都有东西。 但是,质量,舒适度和安全性水平通常会有所不同-尽管广告始终承诺会做到最好。 商业界的热门代表包括1Password或Lastpass 。 在开源区域中,有许多流行的代表KeePass和Bitwarden 。
All of the above are more or less “standalone products” that can be used independently of a browser and usually also of the operating system. This has various advantages — especially if you not only want to manage access data to websites or web applications, but also want to store access codes for devices, credit cards, operating systems etc. or other information that needs to be secured.
以上所有都是或多或少的“独立产品”,可以独立于浏览器使用,通常也可以独立于操作系统使用。 这具有各种优势-特别是如果您不仅要管理对网站或Web应用程序的访问数据,而且还想存储设备,信用卡,操作系统等的访问代码或其他需要保护的信息。
The classic storage location is your own computer or smartphone and the synchronization with other devices is done via file exchange, Wifi or Bluetooth connection without the inclusion of cloud services such as Dropbox, OneDrive, iCloud or similar. More and more popular are also solutions that automatically exchange data in the background via cloud services and thus ensure that all devices connected to a user account always have the latest data available — the convenience of such services is of course very tempting.
经典的存储位置是您自己的计算机或智能手机,并且与其他设备的同步是通过文件交换,Wifi或蓝牙连接完成的,而没有包括Dropbox,OneDrive,iCloud或类似服务之类的云服务。 越来越流行的解决方案是通过云服务在后台自动交换数据,从而确保连接到用户帐户的所有设备始终具有最新的可用数据,此类服务的便利性当然是很诱人的。
In addition, almost every browser offers the possibility to store passwords and retrieve them when visiting a website. There is also usually a possibility for cross-device synchronization, which usually runs via a cloud service of the browser provider.
此外,几乎每个浏览器都提供了在访问网站时存储密码并检索密码的可能性。 通常还存在跨设备同步的可能性,该跨设备同步通常通过浏览器提供商的云服务运行。
In the last category — namely password managers in the browser — belongs (more or less) the still comparatively young product “Lockwise” from the Mozilla Foundation. It originated from a browser plugin called “Lockbox” and has since been integrated into the “Firefox” browser from the same company. Additionally there are smartphone apps and a website available.
在最后一个类别(即浏览器中的密码管理器)中,(或多或少)属于Mozilla Foundation 仍较年轻的产品“ Lockwise ”。 它起源于一个名为“ Lockbox”的浏览器插件,此后已集成到同一公司的“ Firefox ”浏览器中。 此外,还有智能手机应用程序和网站。
“Lockwise” is advertised as a secure password manager that uses industry-standard encryption and thus securely stores passwords according to the current state of the art. The passwords can be stored either locally on the user’s computer or centrally on the Mozilla Foundation’s infrastructure to enable cross-device synchronization. As an additional feature, the “Monitor” product from the same company can be integrated — this allows access data to be synchronized with databases of already hacked user accounts, thus enabling early warning signals to be detected. This is a good thing — but has some possible side effects.
“ Lockwise”被宣传为使用行业标准加密的安全密码管理器,因此可以根据当前技术水平安全地存储密码。 密码可以本地存储在用户计算机上,也可以集中存储在Mozilla Foundation的基础结构上,以实现跨设备同步。 作为一项附加功能,可以集成同一家公司的“监控”产品-这可以使访问数据与已经被黑客入侵的用户帐户的数据库同步,从而可以检测到预警信号。 这是一件好事-但有一些可能的副作用。
To use Lockwise’s synchronisation mode, a user account must be created. To do so, an email address must be provided. This user account can then be used to synchronise — in addition to passwords and access data — browser settings such as preferences, bookmarks, browser history, plugins etc. across devices.
要使用Lockwise的同步模式,必须创建一个用户帐户。 为此,必须提供一个电子邮件地址。 然后,除了密码和访问数据外,该用户帐户还可用于跨设备同步浏览器设置,例如首选项,书签,浏览器历史记录,插件等。
In practice this is of course very convenient. However, as is so often the case, the trick is in the details when it comes to security and privacy protection.
实际上,这当然非常方便。 但是,在安全性和隐私保护方面,诀窍在于细节。
Mozilla has done many things right here: The encryption is done locally on the user’s computer and only encrypted data is transmitted to the sync service. In this respect, the Mozilla Foundation and possible partners should not have any (currently known) possibility to see the data in plain text. This is good and a fundamental necessity for such a service.
Mozilla在这里做了很多事情:加密是在用户计算机上本地完成的,只有加密的数据才传输到同步服务。 在这方面,Mozilla基金会和可能的合作伙伴不应有任何(目前已知的)可能性以纯文本格式查看数据。 这是好的,也是这种服务的基本必要条件。
However, I also think that serious mistakes have been made which, in the worst case, could completely compromise the security of the service. The first mistake is that passwords and access data basically run via the same user account as all other data to be synchronised. The only protection for the web service is therefore a single password and — only if explicitly activated by the user — a second factor.
但是,我也认为已经犯了严重的错误,在最坏的情况下,这些错误可能会完全损害服务的安全性。 第一个错误是,密码和访问数据基本上与所有要同步的其他数据通过同一用户帐户运行。 因此,对Web服务的唯一保护是单个密码,并且(仅在用户明确激活的情况下)第二个因素。
In the browser itself — i.e. where the passwords and access data are ultimately visible — they are basically freely accessible to every user, unless the user has explicitly assigned a master password. Unfortunately — and this is one of the biggest mistakes made by the Mozilla Foundation in its conception — a master password does not have to be set on every device connected to the user account.
在浏览器本身中(即密码和访问数据最终可见的位置),基本上每个用户都可以自由访问它们,除非用户已明确分配了主密码。 不幸的是-这是Mozilla Foundation在其概念上犯下的最大错误之一-不必在连接到该用户帐户的每台设备上都设置主密码。
This is a serious problem that should be addressed by the Mozilla Foundation in a timely manner. Many users tend to be comfortable — and this increases the risk that either no master password is used at all or that it is not used consistently on all connected devices. In practice, a serious problem can then arise in the event of theft, infection with malware or even just curious users.
这是一个严重的问题,Mozilla基金会应及时解决。 许多用户趋向于舒适-这增加了根本不使用主密码或未在所有连接的设备上始终使用主密码的风险。 在实践中,如果发生盗窃,恶意软件感染甚至只是好奇的用户,就会出现严重的问题。
The Mozilla Foundation did many things right with Lockwise, but fails at some basic points. This should be addressed as soon as possible. Non-optional master passwords, separation of access data and configuration,optional second factor. The approach of relying on user-configured access protection for mobile apps — which can sometimes consist of just a quarter pin or a few drawn lines — should also be reconsidered. A configurable additional protection layer is highly recommended.
Mozilla基金会使用Lockwise做了很多事情,但是在某些基本点上却失败了。 这应该尽快解决。 非可选的主密码,访问数据和配置的分隔,可选的第二因素。 还应重新考虑依靠用户配置的移动应用程序访问保护的方法(有时可能仅由四分之一针或几条画线组成)。 强烈建议您配置一个额外的保护层。
Therefore, a non-optional basic requirement for the use of the password safe must be the assignment of a master password. An optionally configurable second factor would be very desirable. Furthermore, a separation of access data and configuration data should be a matter of course.
因此,使用密码保险箱的非强制性基本要求必须是分配主密码。 可选地可配置的第二因素将是非常期望的。 此外,访问数据和配置数据的分离应该是理所当然的。
Unfortunately, it does not seem to be possible at the moment to trace who used or changed a password and when, and it is also not possible to set up notifications for security-relevant events such as access anomalies. At least I didn’t find any such information on the unfortunately not very meaningful page about the product.
不幸的是,目前似乎无法跟踪谁使用或更改了密码以及何时输入密码,也无法为与安全相关的事件(例如访问异常)设置通知。 不幸的是,至少在关于产品的意义不大的页面上,我至少没有找到任何此类信息。
Caution is also advised in connection with the smartphone apps. These seem to set the only protection mechanism for access to the stored data to the access locks set on the smartphone, e.g. PIN or fingerprint — a little bit less, in my opinion.
还建议您谨慎使用智能手机应用程序。 这些似乎为访问存储在智能手机上的访问锁(例如PIN或指纹)的数据设置了唯一的保护机制,在我看来,这要少得多。
Users of safety-critical software have the right to rely without restriction not only on the protection of the stored data, but they must also be able to trust that they are not being stalked by the software manufacturer. Telemetry has no place in such an app — if at all, it must follow the principle of opt-in (not the other way around)
对安全至关重要的软件的用户有权无限制地不仅依赖于存储数据的保护,而且还必须能够相信软件制造商不会缠扰他们。 遥测在这样的应用程序中无处可寻-如果有的话,它必须遵循选择加入的原则(反之则不行)
In connection with the storage of sensitive data, I find inappropriate the presence of telemetry in the apps and the not entirely transparent communication of the consequences of using the “Monitor” service to compare access data with databases of hacked user accounts. Both can violate the privacy of the user and especially the last point — namely the comparison with databases — allows conclusions to be drawn about the number of access data used by the user and their affiliation. In the end it is at least possible to find out for which websites a user has one or more accesses.
关于敏感数据的存储,我发现应用程序中存在遥测功能,以及使用“监控”服务将访问数据与被黑用户帐户的数据库进行比较的后果并不完全透明。 两者都可能侵犯用户的隐私权,尤其是最后一点-即与数据库的比较-可以得出关于用户使用的访问数据数量及其隶属关系的结论。 最后,至少有可能找出用户具有哪些访问权限的网站。
结论 (Conclusion)
Mozilla has taken the right path with lockwise. For very sensitive people, it could be a problem that Mozilla for a long time no longer satisfactorily meets the formerly high demands on the protection of the privacy of its users — this is mainly due to a basic configuration of the apps that is detrimental to privacy and which inexperienced users in particular rarely see through and adapt in detail.
Mozilla采取了明智的做法。 对于非常敏感的人,Mozilla长期无法满足以前对用户隐私保护的高要求可能是一个问题-这主要是由于应用程序的基本配置不利于隐私尤其是那些没有经验的用户很少能看到并详细地适应。
If one disregards this — and if one looks primarily at the competition in the field of synchronizing password managers — then “Lockwise” scores very well overall. The encryption methods used can be described as secure according to the state of the art known today. The use is simple and convenient. There are apps for all relevant operating systems (either within the browser or as a smartphone app) and — which is a very important prerequisite for trustworthiness — the source codes of large parts are openly accessible, which creates transparency.
如果不考虑这一点,并且主要关注同步密码管理器领域的竞争,那么“ Lockwise”的总体得分将非常高。 根据当今已知的技术水平,可以将所使用的加密方法描述为安全的。 使用简单方便。 有适用于所有相关操作系统的应用程序(在浏览器中或作为智能手机应用程序),并且-这是值得信赖的非常重要的前提-大型部件的源代码可公开访问,从而提高了透明度。
It would also be desirable if users could run their own servers for synchronization — i.e. no longer depend on the services provided by the Mozilla Foundation. Because — and here we come to a conclusion — the Mozilla Foundation is subject to American law and is therefore basically obliged to cooperate with the local authorities. That this is a serious problem with regard to data protection and data security has long been a matter of public record.
如果用户可以运行自己的服务器进行同步,即不再依赖Mozilla Foundation提供的服务,那也是人们所希望的。 因为-在这里我们得出一个结论-Mozilla基金会受美国法律的约束,因此基本上有义务与地方当局合作。 在数据保护和数据安全方面,这是一个严重的问题,长期以来一直是公共记录问题。
My recommendations for the Mozilla Foundation:
我对Mozilla基金会的建议:
- All components should be published as open source 所有组件都应发布为开源
- Frefox should be given a configuration option to store its own servers for storing access data and configurations. 应该为Frefox提供配置选项,以存储自己的服务器,以存储访问数据和配置。
- Telemetry functions should be changed from opt-out to opt-in 遥测功能应从选择退出更改为选择加入
- A master password must become mandatory if access data are stored 如果存储了访问数据,则必须输入主密码
- Strict separation of access data and configuration data 严格分离访问数据和配置数据
- Smartphone apps should have an additional security layer 智能手机应用程序应具有附加的安全层
At this point, the open source projects KeePass or Bitwarden seem to be the better choice in my opinion — for people who prefer the most convenient synchronization, Bitwarden might be the better and more flexible choice.
在这一点上,我认为开源项目KeePass或Bitwarden似乎是更好的选择-对于更喜欢同步最方便的人,Bitwarden可能是更好,更灵活的选择。
However, as soon as Lockwise is improved, things may turn around.
但是,一旦Lockwise得到改进,情况可能会好转。
What do you think? Let’s discuss it…
你怎么看? 让我们讨论一下...
翻译自: https://medium.com/swlh/mozilla-lockwise-the-better-password-manager-721d2cc1210c
扫一扫
被折叠的 条评论
为什么被折叠?
到【灌水乐园】发言
