What browser do you use?

Yeah I don’t use Vivaldi either . . . just Firefox

Explain? Did I do something I told others not to do?

I was talking about Distrotube. Sorry if this was not clear enough, didn’t mean to offend you in any way.

Ah gotcha. Never looked at Distrotube so didn’t understand the reference you were making. No offense taken

Regarding the “rubbish” comment. Pocket, 100% agreed. Ff password manager being rubbish, can you explain why you think this is the case?

I agree with @Kresimir that you should never store your passwords in the browser. An external password manager should always be used. I wouldn’t trust any Bowser, whether Firefox or the thing from Goolag …

And YES, I confess: I use Chromium now after more than 20 years, because I’m just fed up with FF. But with Bitwarden as password manager. Now stone me …

I’ve already explained it many times, but I’ll give you a concise summary. It’s terribly unsafe. Firefox’s password manager stores passwords offline, but also allows anyone who steals your Mozilla account to sync and get all your passwords, without even needing another master password.

A password manager needs to be 100% offline, never uploading your password database to other people’s computers.

It’s fiiiiiiiine you can totally trust -based solutions!
It’s very protected at our secure www.trust-me.bro

Open source or proprietary, Vivaldi isn’t a privacy-focused browser to begin with.

IMO, there are only 5 browsers that are really privacy-focused.

• Brave¹
• Ghostery²
• Librewolf
• Mullvad
• Tor

It is worth noting that except for Brave, all of the above are based on Firefox.

There are also some derivatives of Librewolf but they are just inheriting what Librewolf is doing. Of course, Firefox can be a great privacy option if you do the work but it isn’t like that out of the box.

Vivaldi, Chrome, Chromium, Ungoogled Chromium, Edge, Floorp, Pale Moon, IceCat, Waterfox, etc are not really privacy-focused no matter what the marketing material states. To be clear, I am not saying they are not good browsers, just they aren’t truly privacy focused if that is what you are looking for.

_{1 - Brave has made quite a lot of missteps in the past from a privacy and trust perspective for which they have been largely unapologetic.
2 - Ghostery has a troubled past primarily when they were owned by Evidon. The embedded ghostery extension(disabled by default), has opt-out telemetry.}

Exactly. My point is that a proprietary browser cannot be privacy-focused at all, but even if it weren’t proprietary, Vivaldi would still not be a privacy-focused browser. Thus the advice this person is giving is really bad.

I’m using Firefox, and have for over a decade, with Chromium as a fall-back if I need to test a site that’s misbehaving on FF.

I think “terribly unsafe” is a little extreme to describe FF’s password management if you take care setting it up.

Using FF sync for your passwords, you can add two-factor authentication (2FA) to your FF account, which will then be required in addition to your account password to sync with a new device. Without 2FA, I do think it’s more risk than I’d take.

The passwords are encrypted using a key stored on your computer, and only the encrypted passwords are on the FF server. With 2FA, it seems reasonably secure to me, especially given the convenience, though I admit I still don’t use it for my banking credentials.

Just because you’ve used something for years without a major incident, doesn’t mean it’s intrinsically safe. I’ve used windoze for years, too, never really had an incident (and if I had, I certainly wasn’t aware of it).

Regardless of 2FA, you are still sharing your password database with Mozilla. Sure, it’s encrypted, but unless your password is really good, that can probably be brute forced. My master password has pretty high entropy, yet I wouldn’t share my encrypted password database with the public, as I don’t really want to challenge hackers to crack it open. I have no idea whether they could do it, and I really don’t want to find out the hard way.

“Terribly unsafe” sounds just about the right when describing Firefox’s password manager.

Any password manager that needs internet access and some account with a 3^rd party is a terrible idea, and should be avoided.

Not to mention, 2FA is itself a privacy nightmare, as it links your online identity to a smartphone with a unique identifier. Any “service” that requires 2FA with a smartphone should probably be considered untrustworthy and avoided.

My advice is to use something 100% local, like KeePassXC, which has a plugin for Firefox and almost the same level of convenience, apart from automatic sync (you need to manually copy your password database).

I would disagree here. 2FA via a Smartphone as the 2nd factor IS a nightmare, for sure. And it shouldn’t be called 2FA at all. But if the second factor on top of a strong password is for example a hardware token which is physically detached from the computer/smartphone/whatevercallsforasecondfactor than it is a scurity improvement. Think ChipTAN, think Yubikey. Using a Smartphone for anything security sensitive is always wrong.

Oh yes, that’s an entirely different thing. We don’t disagree. I was talking about what people commonly call 2FA these days, which is using a smartphone with 𝖕𝖗𝖔𝖕𝖗𝖎𝖊𝖙𝖆𝖗𝖞 soyftware as the second factor. When I say that that’s a really stupid and unsafe idea, I mean specifically that.

In general, as a concept, 2FA is not a bad idea, but only if you have complete control over it.

It depends what you are talking about specifically but if you are referring to standard TOTP solutions, I would say that is just as private as a hardware key unless you use a different hardware key for each login.

On the other hand, if you are talking about something that links itself to data on your phone or something like Steam Guard then, yes, that is highly identifiable.

Multi-factor is one of those places where security and privacy are not the same thing.

I was thinking of Mozilla account 2FA, or Goolag’s or Facebook’s login… And yes, Steam, too.

Time-based OTP can still be used to identify you, if the application that runs on your smartphone can call home.

I didn’t mean to imply that FF is safe because I’ve been using it for a long time without an incident; the original topic was “What browser do you use?” and I was answering that. Sort of misleading, I guess.

I do use KeepassXC and tried the browser extension, but I switched back because I didn’t like adding an extension to FF, needing to have another application open (KeepassXC), and found that the browser extension didn’t work as consistently as FF’s password manager.

As with most privacy/security approaches, it’s a trade-off between convenience and security/privacy, I guess.

At the same time, if I ever post anything really stupid here, I can always claim my FF password manager was hacked and somebody else did it.

But so can a hardware key, right? It is essentially a free unique fingerprint.

Yes, exactly. So you would want it to run open-source software, wouldn’t you? Software that you can, at least in principle, inspect and build yourself.

And use a different one for each service.

That way you can separate your “meat world” identity and your account.

But when it comes to password managers, none of that is really necessary if you keep your database strictly local.

If you scan a new QR Code from any server to create a new TOTP in your any device/offline local, but the server could save this QR Code with your verification. People works at this server and could copy this QR code to create a TOTP the same as your TOTP.

This means that the server can control your account if you are logged in to its website.