grahl/ch

Migrating Firefox's password storage to Loxodo

Photo CC-BY by myklroventine

Passwords are inevitable. At least for the next few years. So it makes sense to find a reasonably secure but efficient way of managing them.

For the last few years, I’ve used a combination of CLI password generator, Firefox’s password manager with a master password, a manually encrypted reference and my memory. This was an adequate solution but has certain limitations in terms of dependence on a specific browser profile and manual workarounds when a specific site misbehaves. So I looked around.

Choosing a password manager

There are hunders of password managers available today, so I’m not going to attempt to summarize even a portion of them here. Password Safe stands out from the rest, though. First, it helps that its original author is a credible source. More importantly, though, the file format is documented and alternative clients and libraries are available. Also, there is an Android app available, too, and it comes with sensible permissions. I look forward to using this when away from my laptop. 

A Linux client (Beta) now exists of the original Password Manager and I might try it out sometime regarding auto-input, but for now the simplicity of Loxodo appealed to me. I’m unsure whether I’ll invest the time to learn wxWidgets to add a grouping pane or whether I’ll switch clients at some time. In either case, the underlying file format gives me an easy way to switch back and forth between v3 clients.

Exporting from Firefox

Getting the list of logins in Firefox Password Manager exported requires a separate extension, Password Exporter worked well for me. I based my work on the CSV output. I suggest cleaning the file up a bit before importing. For example, consider removing superfluous headers. Since there isn’t an exact match between the title field in Password Safe and the export from Firefox, I used the host entry as title and formSubmitURL as url. The former really doesn’t need the http, so stripping that made sense for me:

:%s/^"https:\/\//"/g
:%s/^"http:\/\//"/g

Importing to Loxodo

Armed with a CSV file, getting the data into Loxodo was a straighforward process and was made extremely easy through the existing CLI components. Iterating through the CSV file and calling the relevant vault function for adding an entry can be done in Python with a handful of lines, you can find my importer commit on Github. Working with PHP most of the time, I find the elegance, efficiency and fun of Python still suprising every time I have a chance to use it.