🚀 go-pugleaf

On 25/05/2025 12:50, Jota.Ce wrote:
>
> I'm starting to use LibreWolf, and they recommend a password manager to
> avoid storing passwords in the browser. They recommend Bitwarden and
> KeepassXC add-ons, but i don't like to use them, as i can't install them
> on SeaMonkey.
>...

You can use KeepassXC as a separate program and get it to fill in the
username/password/TOTP code for each site as required, like so
* run the program with your KP password DB
* at an authentication prompt, unlock KP with your master PW
* select the site in KP
* if you have set up a logon sequence for the site, use ctrl+shift+V to
run the sequence, so populating the appropriate fields
* otherwise just copy+paste the auth fields as required.

Although this may be less convenient than a browser extension it may
also be more secure. Maybe the same works for BW too.

HTH
/df



--
London
UK

Thanks for your answer.

Isn't that a much slower process? My (maybe wrong) idea is that you only have to click and use a password when it's running as an extension.

I think that KeepasXC add-on is only a "bridge" from the browser to the installed program, so cyou can avoid calling the program, authenticate
in it, selecting the site, copying data (which is algo a problem if you have a keylogger inside).

I mean... I prefer to have a less secure, but much more use-able program. Just like a standard browser password manager, but more secure. And
synchronized between platforms/places, portable version, as maybe we won't have admin rights in my workplace next year.

Sorry if i can't explain it correctly.

Regards.

El 25/05/2025 a las 23:56, Dirk Fieldhouse escribió:
> On 25/05/2025 12:50, Jota.Ce wrote:
>>
>> I'm starting to use LibreWolf, and they recommend a password manager to
>> avoid storing passwords in the browser. They recommend Bitwarden and
>> KeepassXC add-ons, but i don't like to use them, as i can't install them
>> on SeaMonkey.
>> ...
>
> You can use KeepassXC as a separate program and get it to fill in the
> username/password/TOTP code for each site as required, like so
> * run the program with your KP password DB
> * at an authentication prompt, unlock KP with your master PW
> * select the site in KP
> * if you have set up a logon sequence for the site, use ctrl+shift+V to
> run the sequence, so populating the appropriate fields
> * otherwise just copy+paste the auth fields as required.
>
> Although this may be less convenient than a browser extension it may
> also be more secure. Maybe the same works for BW too.
>
> HTH
> /df
>
>
>

Jota.Ce wrote:
> Hi all
>
> I'm starting to use LibreWolf, and they recommend a password manager
> to avoid storing passwords in the browser. They recommend Bitwarden
> and KeepassXC add-ons, but i don't like to use them, as i can't
> install them on SeaMonkey.
>
> I read somewhere that you could use the last Bitwarden XPI version
> (3.3.4?), but... Is it true nowadays? Is it safe? Could it be
> installed on LibreWolf?

Since I have an old Seamonkey extension called AMO Browsing for
Seamonkey, that gives me the ability to browse the addons.mozilla.org
and addons.thunderbird.net (for hosted Seamonkey extensions), and I'm
finding no XUL versions of BitWarden.  The oldest version of the
Bitwarden extension is 1.9.8, released in February of 2017, which is
explicitly noted as a WebExtensions version.  I also have Classic Addons
Archive installed, and a check there shows no offers of Bitwarden either.

I don't remember the timing, but it's entirely possible that Bitwarden
didn't come on the scene until after the release of Quantum with
WebExtensions and corresponding deprecation of XUL versions. The
evidence I see suggests that there may never have been an XUL version of
a Bitwarden extension.

Remember that LibreWolf is a fork of current versions of Firefox
(including full support for Quantum and WebExtensions). Their focus is
on providing stricter privacy than what's provided in default settings
in Firefox. I haven't investigated in detail, but my sense is that the
difference between Firefox and LibreWolf is less than inherent
security/privacy built into the code, so much as default configuration
settings, where Libre sets those to be as restrictive as possible (and
where many users may need to loosen some settings to get things to work
properly).  If you know what to do, you may be able to accomplish pretty
much everything LibreWolf provides with your own tweaks to Firefox.

But I'm pretty sure that backwards compatibility with older browsers is
not something that LibreWolf is trying to do.

Thus, the decision for you is a matter of whether you prefer to harden
Firefox or soften LibreWolf, if the workable point is somewhere in
between the two.

> In the past i had only 2-3 different passwords, but nowadays i have
> to deal with many variations of lenght, upper, lower, symbols,
> numbers,... It's a complete mess.
>
> What would you recommend?

You definitely want a password manager, although you may not have any
options for tight integration via extension. Although there are ways of
getting some integration without extension, that approach will
necessarily require more work on your part.

Personally, I use KeePass, and I like what it does for me. Although it's
not quite as elegant as an extension-driven manager, it does have some
integration functions, including the capacity for "auto-type", of
entering ID and password, as well as scripting capacity to work around
login interactions that are more complicated than
<ID><tab><password><ENTER>.  However, for me, a significant advantage of
not having the integration from the extension means that I can use my
KeePass store much more widely than my primary profile in Seamonkey.  As
a matter of course, I make use of several different browsers on my main
computer, and I frequently work from more than one computer (and
multiple browsers there).

Thus, I have enough capacity in KeePass to be able to use that data in
whatever browser or computer that I'm using (including that I keep a
copy of my password store where I can get to it from my LAN). And for
good measure, because KeePass is not integrated with my browser, I make
use of it for a handful of other things that aren't browser-related at
all, such as with SSH keys. Although I make a measure of use of the
Seamonkey password manager on my primary settings, the biggest
limitation is that anything saved there is available only there, and
KeePass gives much more freedom to use that data much more widely.

I will commend you on moving away from having only a few passwords (and
frequent reuse of passwords).  In my own setups, I have about 4 or 5
passwords that I have memorized (typically, places where I have to
hand-enter passwords), but for everything else, I rely on KeePass,
including the ability to generate passwords that are as long and as
complex as a service will accept. I have no clue about the content of
those passwords, just that KeePass will properly transmit them when I need.

Smith

I was wrong in the name.

It *was* LastPass v3.3.4, which was the last XUL/XPI release.

I read it here: https://www.reddit.com/r/Bitwarden/comments/lnovc4/xul_extension_for_firefox_forks_like_pale_moon/

Sorry for that :(

El 27/05/2025 a las 4:55, NFN Smith escribió:
> Since I have an old Seamonkey extension called AMO Browsing for
> Seamonkey, that gives me the ability to browse the addons.mozilla.org
> and addons.thunderbird.net (for hosted Seamonkey extensions), and I'm
> finding no XUL versions of BitWarden.  The oldest version of the
> Bitwarden extension is 1.9.8, released in February of 2017, which is
> explicitly noted as a WebExtensions version.  I also have Classic Addons
> Archive installed, and a check there shows no offers of Bitwarden either.
>
> I don't remember the timing, but it's entirely possible that Bitwarden
> didn't come on the scene until after the release of Quantum with
> WebExtensions and corresponding deprecation of XUL versions. The
> evidence I see suggests that there may never have been an XUL version of
> a Bitwarden extension.

Thanks also for talking about your personal choice with that amount of details.

I have seen that Keepass has a Portable/sync-able version, so i may try it in summer holidays.

But in the mean time... Have you used/heard about that last XPI version of LastPass? Could it be unsafe nowadays?

Could you use an older XPI of LastPass on SeaMonkey and a newer WebExtension version of LastPass on LibreWolf to get a synchronized database?

Thanks again, and kind regards ^_^


El 27/05/2025 a las 4:55, NFN Smith escribió:
> You definitely want a password manager, although you may not have any options for tight integration via extension. Although there are ways of
> getting some integration without extension, that approach will necessarily require more work on your part.
>
> Personally, I use KeePass, and I like what it does for me. Although it's not quite as elegant as an extension-driven manager, it does have some
> integration functions, including the capacity for "auto-type", of entering ID and password, as well as scripting capacity to work around login
> interactions that are more complicated than <ID><tab><password><ENTER>.  However, for me, a significant advantage of not having the integration
> from the extension means that I can use my KeePass store much more widely than my primary profile in Seamonkey.  As a matter of course, I make
> use of several different browsers on my main computer, and I frequently work from more than one computer (and multiple browsers there).
>
> Thus, I have enough capacity in KeePass to be able to use that data in whatever browser or computer that I'm using (including that I keep a copy
> of my password store where I can get to it from my LAN). And for good measure, because KeePass is not integrated with my browser, I make use of
> it for a handful of other things that aren't browser-related at all, such as with SSH keys. Although I make a measure of use of the Seamonkey
> password manager on my primary settings, the biggest limitation is that anything saved there is available only there, and KeePass gives much
> more freedom to use that data much more widely.
>
> I will commend you on moving away from having only a few passwords (and frequent reuse of passwords).  In my own setups, I have about 4 or 5
> passwords that I have memorized (typically, places where I have to hand-enter passwords), but for everything else, I rely on KeePass, including
> the ability to generate passwords that are as long and as complex as a service will accept. I have no clue about the content of those passwords,
> just that KeePass will properly transmit them when I need.
>
> Smith

Jota.Ce wrote:

>
> But in the mean time... Have you used/heard about that last XPI version
> of LastPass? Could it be unsafe nowadays?

I made a check of Seamonkey's available extensions and there is Vault
Shortcut, version 1.0.2 that was released in July of 2017.  According to
the description,

"Adds a toolbar button that opens the LastPass Vault in an external
browser.This is an extension for SeaMonkey and Pale Moon that adds a
toolbar button to launch the LastPass Vault in an external browser."

That's all I know, and it would appear to facilitate access to a
LastPass store. I have no idea of how well it might work, knowing that
in that era, LastPass was more friendly to local storage (or at least
local copies) of password stores then, than it is now.

Although I've never used LastPass, I was amenable to it, knowing that it
was more flexible in being able to get to stores without having to
connect to LastPass servers.  In the meantime, I've soured on LastPass,
with them having multiple corporate owners that are focused on
maximizing revenues, and in a way that seems to cause them to take
shortcuts, and where they've had multiple data breaches in the last
several years.

>
> Could you use an older XPI of LastPass on SeaMonkey and a newer
> WebExtension version of LastPass on LibreWolf to get a synchronized
> database?

Possibly.  I have the Class Add-ons Archive installed (access to many,
but not all XUL extensions that stopped working after Firefox 56 and
Thunderbird 56), and there is a version of LastPass there, 4.1.67, that
supports Firefox versions up to 56, and should be usable in Seamonkey.

The one caution with older extensions, especially ones like that
interact with external services, whether or not the service has changed
enough to cause the extension to be unusable. Obviously, you won't have
access to newer features, but there's no way of telling if the current
status of LastPass is completely incompatible with the old extension.
And of course, old extension aren't being maintained, either for
security or bug fixes.

Smith

Jota.Ce wrote:
> But in the mean time... Have you used/heard about that last XPI version
> of LastPass? Could it be unsafe nowadays?
>
> Could you use an older XPI of LastPass on SeaMonkey and a newer
> WebExtension version of LastPass on LibreWolf to get a synchronized
> database?

I used to use the XPI version of LastPass on SM and also a version on my
phone. Worked very well at the time. Then LastPass went weird, new
owners? and got aggressive asking for money and other stuff and I
stopped using it.
The XPI version is pretty old now, I don't think I would trust it.
Dave
ps now use versions of keepass and copy and paste passwords into SM

Thank you both, NFN Smith for taking so much time with this subject, and Dave Yeo for the last final touch.

I now know some basic things before taking a path to a safer password management.

This summer i'll try to make an approach.

Maybe someday SM will implement WebExtensions while mataining compatibility with XUL.

Thanks again, and regards.

El 02/06/2025 a las 16:53, Dave Yeo escribió:
> Jota.Ce wrote:
>> But in the mean time... Have you used/heard about that last XPI version
>> of LastPass? Could it be unsafe nowadays?
>>
>> Could you use an older XPI of LastPass on SeaMonkey and a newer
>> WebExtension version of LastPass on LibreWolf to get a synchronized
>> database?
>
> I used to use the XPI version of LastPass on SM and also a version on my phone. Worked very well at the time. Then LastPass went weird, new
> owners? and got aggressive asking for money and other stuff and I stopped using it.
> The XPI version is pretty old now, I don't think I would trust it.
> Dave
> ps now use versions of keepass and copy and paste passwords into SM