they certainly aren't as bad as they used to be, but the UX hasn't improved much. in-browser password managers these days have acceptable security and features like the one in the article are starting to surpass other password managers. but gawd, the UX.
my biggest qualm with the UX of firefox's password manager is the "master password" feature. it's a password you must enter to unlock your keychain. that's a must-have for me.
what firefox does wrong:
* it's rendered as a simple dialog prompt, identical to javascript's window.prompt. could be faked by a site for phishing.
* the unlock prompt launches once, about 30 seconds after the browser is launched (right while i'm in the middle of typing a URL) and grabs focus.
* if you don't provide a password, the prompt will show up again each time you visit a page that has a login form for which you have a saved password, even if the login form is hidden with CSS. many sites have login forms on every page.
* there's no way to unlock the keychain on a per-site basis or lock it again once you've unlocked it (besides closing the browser).
what i want is:
* when i'm about to log in to a site, i expect to provide my master password and have firefox autofill my saved password for this site only.
* if i need the password again later, or a password for a different site, i expect to have to provide my master password again.
* a dialogue that i can trust to have come from the browser itself rather than the webpage.
* not to be interrupted by the dialogue unless i need to access a saved password.
They seem to be working on the password manager in general lately(ish) e.g. https://lockwise.firefox.com/ , so I think there's a decent chance that side of things will improve. Because yeah, it has been an awful, nigh-unchanged experience for pretty much its whole existence.
my biggest qualm with the UX of firefox's password manager is the "master password" feature. it's a password you must enter to unlock your keychain. that's a must-have for me.
what firefox does wrong:
* it's rendered as a simple dialog prompt, identical to javascript's window.prompt. could be faked by a site for phishing.
* the unlock prompt launches once, about 30 seconds after the browser is launched (right while i'm in the middle of typing a URL) and grabs focus.
* if you don't provide a password, the prompt will show up again each time you visit a page that has a login form for which you have a saved password, even if the login form is hidden with CSS. many sites have login forms on every page.
* there's no way to unlock the keychain on a per-site basis or lock it again once you've unlocked it (besides closing the browser).
what i want is:
* when i'm about to log in to a site, i expect to provide my master password and have firefox autofill my saved password for this site only.
* if i need the password again later, or a password for a different site, i expect to have to provide my master password again.
* a dialogue that i can trust to have come from the browser itself rather than the webpage.
* not to be interrupted by the dialogue unless i need to access a saved password.