I use Firefox as a browser under an account that syncs across all my devices (an iPhone and several Windows machines), and I also use its built-in password manager (which used to be called Lockwise but is now simply the Firefox on-board password manager). It’s a very convenient solution because I have all my passwords with me everywhere, but I’m worried that major mayhem may occur if my iPhone gets stolen. So I’m looking for a proper solution here. The objectives and constraints are:
I want security, in particular against the phone loss scenario described above and against hackers attacking the database of my passwords (they must be lying on some external server, right?). And preferably, the operators of the server wouldn’t have acces to my passwords either.
I want ease of use, in particular integration into Firefox - so that whenever I want to log onto a website on my phone or Windows system, it takes me just a few clicks or taps to get the browser to fill in the correct log-in credentials.
I want a reasonable level of continuity - in the sense that if whatever service I’m using goes out of business, it gives me at least sufficient advance warning so I can migrate my passwords elsewhere.
I want comfortable migration from my current Firefox password management to whatever system I’d be using (AIUI, the way to do would be to export my passwords from Firefox as a CSV file and import that into the new manager, and then making very sure I delete the CSV).
I’m willing to pay a reasonable amount, say something up to $/€5 a month or so.
So, what’s advisable? I’ve read good things about a service called Bitwarden, which seems to be an open-source project. Or is Firefox built-in free solution not that bad and I might as well stay?
If you want to keep using Firefox’s built-in sync, just make sure your phone is relatively recent, from a major brand, and has a good, strong password/PIN. You should double check this with the manufacturer or instructions, but the phone should be encrypted while off, and a few failed password entries should lock it and turn it off. It should generally be very difficult for a thief to break into a locked modern phone — they would generally need “state actor” (think intelligence service) level of resources in order to do so. You can also see if your phone supports remote wipe for added peace of mind.
Otherwise, if you don’t want your passwords to be protected only by your phone lock, then using a password manager that has its own built-in encryption would give you an additional layer of security — at the expense of having to type in another master password on top of your phone unlock.
Bitwarden is OK (I use it for work everyday) but 1password is a lot better, IMHO — it’s just easier to use. Either one encrypts your passwords with a separate master password, so even if someone steals your phone, your other passwords are useless without the master one.
In daily use, in practice, it means you would just need to enter the master password usually once a day (or whatever you set it to). Then the browser extension or mobile app would autofill passwords similar to how the built-in Firefox one would.
So TLDR:
Use Firefox sync with a strong phone unlock, and check if your phone is encrypted when off and if it can be remotely wiped
For stronger security, you can use a password manager with its own encryption. Both Bitwarden and 1password are good. I prefer 1password. Do NOT use Lastpass, which has had a LOT of security incidents.
Edit: Oh, and either one can easily import from Firefox. You have to delete not only the CSV but also the saved Firefox passwords in the cloud afterward. Both also support easy exports, so you can take your passwords (and also your 2FA and passkeys, if you choose to use them) with you elsewhere if you ever need to.
Edit 2: Sorry, just saw the “iPhone” mention specifically. If it’s from within the last few years, you should be fine with a strong PIN.