Is Firefox's Lockwise secure?

I have two big concerns with Lockwise.

  1. It doesn't auto-timeout/logout, so if an attacker gains access to your device, he/she also gains access to all of your passwords.

  2. Passwords stored in Lockwise are also stored in Firefox. A master password can add a layer of security to Firefox on a PC, but the mobile version of Firefox doesn't have this functionality, so anyone who gains access to your Firefox account will also gain access to your Lockwise passwords even if you have a master password set up on one of your devices. The biggest issue there is that when you sync your Firefox account to Firefox on a mobile device, it stays logged into your Firefox account, so all of your passwords are there for the taking for anyone who gets into your device.

Further exploration of your question:

If it is "secure" depends on your analysis. Lockwise cloud storage appears to be secure.

The question of wether data should be protected against other programs is something that is comes up in the media and discussions quite frequently.

There are main schools of thought:

  • One, often levelled by third parties, is that access should be as hard as possible. Thus data should be locally encrypted and locked down as much as it can.
  • The other that there is no defence against an attacker who has access to your account anyway. Therefore it doesn't make sense to expend much effort against attacks by other programs running within your account.

Major browser vendors mostly go with the latter. Presumambly also with the idea that if you make password management easier, then more people will use it - and this will be a greater security benefit overall.

Third-party password managers will often take additional measures to protect the local data, at the cost of additional hassle for the end user. Password management is always a tradeoff between convenience and security; and at the end of the day a using a reasonably secure password manager is much better than having a super-secure one and not using it.

For Lockwise, you can "secure" the local storage a bit by setting a master password.

None of the approaches is inherently "bad" though.

By default, Firefox only encrypts your passwords when stored on their servers for syncing between devices. If you want to also encrypt them locally so that other processes running in your user profile cannot read them, then you need to set a master password in the Firefox settings. I think this still needs to be done separately on every device.

This is a long-existing well-known drawback of storing your passwords in any major browser. They all (by default anyway) choose convenience over security and make the locally stored passwords easily available to any process running in the same user account on the local machine. Doing differently would require the user to type a password every time they launch the browser (or at least every time any remembered password is used) which I guess for the average user is too much trouble.