How can I get the firefox lockwise review?
I have lot's of passwords saved in Firefox Password Manager, now called Lockwise. I recently installed Opera Browser on my machine. It somehow managed to import all the history-data and form fields, such as username and passwords into the Opera's local database. As I understand, the username and passwords are send to the server e.g; Yahoo-Mail, in clear text via HTTPS. So Opera has to apply the credential information in the form fields in clear text.
So if Opera can get the passwords, any other harmful software might get it too right?
Am I missing something? So my final question is; Is Mozilla Firefox's Lockwise realy save?
To get the firefox lockwise review, you should understand what Lockwise does:
PBKDF2 and HKDF with SHA-256 to create the encryption key from your Firefox accounts username and password. So the encryption key is derived from your Firefox username and password. Since your credentials are cached to prevent you from signing in every time you use Lockwise, Opera presumably was able to access your database using those cached credentials - as would be an attacker. If Lockwise doesn't require your password, neither does a benign or malicious program, especially if the credentials are cached on the file-level. It's like encrypting a file and storing the password right next to it.
In that case a password manager that can be locked, or locks more frequently, then removes the decrypted data from memory, and requires the master password anew when unlocking the database may be a safer option. Whether one or the other is "secure" depends in context on the type of threat you are trying to guard against. They can only be secure in respect to particular threats. Nevertheless, an existing route to directly and programmatically decrypt a password database on your local system offers more attack surface than one that requires your manual input of a master password.