Firefox 1pass



I’ve been using anOpenBSDlaptopas my workstation a lot more lately, probably because most of my hardware justworks now and I don’t have to think too much about it.The touchpadworkswhen I touch it, I can be confident that when I close the lid, the laptopwill fully suspend and then fully resume again when I open it,WiFi works all throughout my house (although it’s not terribly fast), and myweb browseris fast and stable.What amazing times we live in.

In the past, one thing that frequently kept me going back to myMac,aside fromiOS and Androiddevelopment, was1Password.I have a ton of logins for websites and servers, and because mybrowsersare all configured toclear cookiesfor most websites after I close their tabs,I need frequent access to passwords synced across my laptops and phones, and1Password has great apps for all of those except OpenBSD.

  1. 1Password integrates with desktop web browsers including Safari, Chrome, Firefox, Edge, and Opera. The extension can remember logins for websites, fill in website logins automatically, and generate random passwords for new websites. To use browser extensions, the user must have administrative rights on the computer where the browser is installed.
  2. When using Mozilla Firefox, your password vault is your home base for everything you’ve saved including passwords, secure notes, and credit card information. Usually, you can manually add your passwords to your vault, or it will automatically capture account passwords when you enter them on every website as you browse in Google Chrome.
  3. Firefox Lockwise lets you securely access the passwords you’ve saved in Firefox from anywhere — even outside of the browser. Features 256-bit encryption and Face/Touch ID.

The Firefox Password Manager securely stores the usernames and passwords you use to access websites and then automatically fills them in for you the next time you visit a website. This article will show you how to use the Password Manager to remember, view, edit, remove and protect your passwords, and also how to disable the Password Manager.

Firefox 1password plugin

All of 1Password’s syncing currently works through my Dropbox account.My Mac has 1Password configured to store its encrypted database in my localDropbox directory, Dropbox does its automatic syncing of that directory to theirservers, and 1Password on my phone uses Dropbox’s API to pick up any changedfiles.It’s been reliable for years, I have local versioned backups of my database, itworks when my devices are offline, and I know I can access that data years in thefuture.

Using 1Password on OpenBSD

To bring OpenBSD into the mix, there are 3rd-party command-line apps which canread local 1Password files such as1passwritten in Go.Getting the 1Password files onto OpenBSD was left as an exercise to the reader, sending me down the rabbit hole of trying to add OpenBSD support tovariousFUSE-basedpackages that could provide a local filesystem view of my Dropbox directory.I managed tohackone of them into semi-working shape, but eventually I gave up and usedrcloneto do one-way fetching of my Dropbox directory on demand.

While this allowed me to at least view and copy passwords, the process was lessthan ideal.Browsing in Firefox, I’d have to open a terminal, type1pass copy <some website>,choose the right one,and then go back to Firefox and paste it in the proper field.Tedious, error-prone, vulnerable to phishing, and now my password is hanging outin clear-text on the clipboard.

A Firefox add-on calledPasscardsfrom the developer of 1pass seemed encouraging, as it did Dropbox syncing on itsown and supported auto-filling passwords in the browser, but I could never get it to work.The hard-coded Dropbox API token in the add-on doesn’t work and the mess ofNode dependencies to build a local version failed miserably on OpenBSD.

1Password Lock-In

Meanwhile, AgileBits, the80-personcompany developing 1Password, has been pushing their new hosted,subscription-based model for 1Password going forward.Instead of users being in control of their data files, 1Password will store themon AgileBits’ servers and users pay a monthly subscription fee for the privilege,forever.

I’m anapp developer,I get it.A big company can’t sustain development of a product that users only pay for once.However, I’ve paid for 1Password and all of its major version upgrades, and the$10 or whatever it was to unlock the “pro” features of the iOS app.I’m not opposed to paying money for apps, or for upgrades, or even for asubscription, but I don’t want to pay to host my passwords on AgileBits’ servers.Security concernsaside, there is an issue of lock-in and now having to make my OpenBSD hacks workwith AgileBits’ new API (is there even one?) instead of just accessing and backing up files from Dropbox.

Since I wasn’t sure how long 1Password would keep working with itsnon-subscription-based syncing and I was still missing first-class OpenBSDsupport, I started looked into migrating to something else.

Finding Bitwarden

The main competitor to 1Password isLastPass,which looks nice and works well as a standaloneFirefox add-onon OpenBSD, but it has the same lock-in problem and server-sidesecurity concernsas 1Password.

KeePassis a popular open-source alternative but its use case seems focused on a singlemachine.I don’t need a stand-alone GUI and I do need browser extensions and mobile appsthat can all sync reliably.And honestly, looking at theirpluginspage left me with a bit of decision fatigue: which ones are good, which ones aresecure, which ones are still maintained?Does the browser extension have to read files from my home directory or talk toa daemon that my unprivileged Firefox won’t be able to do?

There are various command-line concoctions such aspasswhich stores PGP-encrypted files in a Git repo, but that doesn’t improve mysituation over 1Password.I would still have to manually look up passwords and copy them to the clipboard.These command-line packages also lack mobile apps and syncing.

Eventually I stumbled uponBitwardenwhich is similar to LastPass but is entirelyopen-sourceand its primary developer is funded by users paying for subscriptions to storetheir data on Bitwarden’s servers.However, all of their browser extensions and phone apps supportsetting a custom API URLbefore logging in, to allow for private installations.The iOS app and Firefox extension that I tried out looked fairly well polished,but I was more concerned with it being an open platform so I could fix bugs,add features, and host my own data.

Unfortunately, the open-sourcebackendfor these apps is written in .NET and expects to talk to a Microsoft SQL Server,requiring a big Docker image to deploy a private installation on Linux.

Since I was expecting to run my own API server on OpenBSD without all of thatoverhead, I decided to write my own compatible server.Sadly, there is no documentation on Bitwarden’s API (outside of its .NET code) soI was not even able to figure out what my server would need to provide.

Rubywarden

Firefox 1password

Rather than wade through lots of .NET code, I decided to go for a black-boxapproach.I wrote asimple proxyin Sinatra that I could point the Bitwarden Firefox add-on to as its private APIURL.The proxy would intercept each request, print it out to the console, then send itto Bitwarden’s actual API, print out the response, and send it back to the Firefoxadd-on.

With that tool I was able todocument all of the API calls that the Firefox extension and iOS app made and the responseeach was expecting.The encryption key derivation scheme used to actually encrypt and decrypt allof the data took a bit longer to figure out, but because everything is opensource, I was able to read theJavascript codeof the Firefox add-on to understand what it was doing to encrypt a string with agiven password.

With my documentation in-hand, I wrote anew Sinatra serverthat implements all of the API calls needed by the Firefox extension and iOS app.I deployed it to a server with Unicorn behind nginx, and used Let’s Encrypt to geta TLS certificate for it.

My API server is now small and easy to understand, it has a much smaller attacksurface than the .NET version, and all of my data is stored in a SQLite databasethat I can backup and version with cp.No lock-in, a first-class experience on OpenBSD and Firefox, and I feel betterunderstanding the details of how my data is encrypted.

Migrating from 1Password

The Bitwarden web client (not the Firefox add-on) supports directly importing1Password data files for users subcribed to Bitwarden’s hosted service.Since I’m not using Bitwarden’s web client, I wrote a command-line1Password conversion toolthat can read a 1Password Interchange Format file, encrypt the passwords usingBitwarden’s format, and insert them into the database that bitwarden-ruby uses.

After importing more than 700 logins from my 1Password file, I noticed that theBitwarden Firefox add-on was quite sluggish on OpenBSD.Unlocking it with my master password would take four or five seconds to parseeverything before showing the large list of logins.

Firefox 1password X

Since this data was years of migrated 1Password installations and otherpassword stores, I decided to spend a few hours cleaning it up.After deleting some 300 logins and moving others into various folders, the add-on seems a bit snappier though still leaves something to be desired.I’d also like to change its keyboard shortcut to Alt+ like Cmd+ is for1Password, but Firefox’s new WebExtension system doesn’t support changing thesehard-coded keyboard shortcuts yet like Chrome does.

At this point I’ve been using Bitwarden’s iOS app and Firefox extensionexclusively.

I have some minor things left to implement in my server

My server now hasTOTP support,and everythingseems to be working well.

Firefox Passwords

Fetch the Rubywarden code from GitHubif you want to check it out.