I used Foxmarks for some time, and all of a sudden I had "spam-bookmarks" in my bookmarks. I removed them, they came back. I changed over to the Google-sync-system (which was given up for Firefox 3) and had no more spam. When moving to Firefox 3, I moved back to Foxmarks and again got new spam in my bookmarks.

Either my password for foxmarks has been cracked or something is fishy. I don't mind deleting a few bookmarks every now and then, but trusting them with my passwords? No way, I stick with 1Password.

simone

Hmm potentially dangerous... but also very useful. It would be nice to have my forum and email passwords already filled out when I go to my laptop, like my bookmarks are. But I don't want the chance of someone getting my email password...

Wasn't there a way to host something like Foxmarks on your own server? If that synced passwords I would be more comfortable about using it.

Foxdie

For the record, I would never do that, and I would humbly suggest that anyone think twice themselves before doing it.

I don't wish to lecture, but for any factual TV program, advert, web-service, newspaper, whatever, ask yourself:

* Who is saying/doing this?
* Who is paying them?
* What do they have to gain if I believe/trust them?

In this case, what they gain is (obviously) your passwords. (Would you give a stranger your passwords?) Even assigning Foxmarks the purest of motives, if it all goes wrong, look what you lose.

shadowfirebird

@Foxdie: Foxmarks has an option to sync to a webdav or ftp server.

yehoni

I would rather type in my passwords even if it is determined to be secure.

I think this is one of those things that would borderline convenience and laziness, too. What tends to be the case is that too much reliance on these kinds of systems make people forget what their passwords are. (At least from the people whom I know who prefer to have their passwords automatically inputted or stored on their computer.)

Passwords, much like one's social security number, is something a person should know inherently.

chareverie

Why would anyone use this instead of LastPass or, well, any of the strong encryption free password services out there? I use LastPass, and I'm tremendously happy with it. I know there are other good options out there, too, just don't remember 'em right now. But yeah, I've used LastPass to change all my passwords to 15 char (or more) strings of ascii gibberish, so I have a different very strong password for every login, and I don't have to remember any of them (other than my one LastPass password). I wish LastPass worked for offline apps as well, but it's on their wishlist.

Regardless, I can't see a reason to use Firefox's password manager at all.

baglunch

You might also want to highlight here the encryption algorithm they are utilizing: AES 256-bit.

Pretty good if you ask me, but I'm not an security guru ... any thoughts?

savedsoul

All my passwords are "Password123" anyway...

OK, so that's a lie. But I love this add-on for Firefox bookmarks, but I already use 1Password on the Mac, so this new feature doesn't interest me. Easily turned off, I suppose.

MacGizmo

@chareverie: If you use a single password across multiple sites, you are opening yourself to dramatically increased risk. An easy to crack password is one thing, but an easy to crack password that's used for 10 sites... if a hacker gains access to any one of those sites, he has you compromised across all of those sites. And whatever info you have stored at any of those sites.

Using a password generator and manager app is much safer, and it's more convenient, since you don't have to (mis)type anything in. Just click and go.

Don't be lulled into a false sense of security regardless what method you use, but multiple reuse passwords are just asking for trouble.

baglunch

Good gracious! This is as stupid as Google's attempt at password syncing.

Want to make me feel really good -- how about just sync what's **already*encrypted** by firefox. All this Foxmarks-specific-but-unknown-to-Foxmarks BS is just that: BS. Why do I need to set up a PIN for you to use when I can already set Firefox to do my password encryption for me?

Two thumbs down for security concerns -- and what other concern trumps as to passwords?

kevish

I use LastPass for my password syncing, it replaces the firefox password manager and it protects the password stronger than firefox, I find it more secure and very very useful

Please note that you don't have to have lastpass extension installed on another computer in order to use it, you can always open your passwords from a web interface, it also notifies you by mail whenever a password or username is being changed from your list, so you can have a secret email just for getting this notifications which password is not inside the lastpass password list, and have this very safe

xcesarfrancox

Howdy folks, I'm part of the Foxmarks team and wanted to chime in to answer some of your concerns.

First off, we're not the password-stealing pirates that you might think we are (though do mark your calendars, International Talk Like a Pirate Day is this Friday). Our biggest motivation to build this feature was simply because so many of our customers wanted it.

About two months ago we conducted a survey and asked our users what other browser data they would like us to sync. Almost 20k people responded with passwords at the top of their list (some of them sorely missed password syncing from Google Browser Sync). We saw these results and knew that there was a lot of demand for this feature, but we only wanted to build it if it could be absolutely secure.

That's why we spent considerable time designing a system that ensures that nobody but you can ever look at your passwords. We chose the AES 256-bit encryption algorithm which, on existing hardware, will take somewhere on the order of 20 times the age of the universe to crack (it's true, look it up). So you see, we designed the system so that not even we can see your passwords.

At the end of the day, password synchronization isn't for everybody. Some people have amazing memories and don't need it, while others aren't comfortable with the idea of syncing. That's no problem, since password sync is 100% optional and is turned off by default in Foxmarks (and always will be). For those who are interested, Foxmarks is one of the few products out there that will sync your passwords in the most secure way possible entirely for free. We encourage you to give us a try and let us know what you think!

P.S. @simone: We don't inject spam into your bookmarks. That would be breaking our own privacy policy. It's possible that you ran into a bug. Visit our support page (foxmarks.com/help) and we'll help you sort it out asap.

goberoi

@goberoi: Why do you have users enter a 'pin code' instead of a master password with a complexity meter like LastPass does? This makes your encryption highly suspect -- by calling it a 'pin code' you're basically guaranteeing the user will use ONLY numbers which radically reduces the encryption's effectiveness, and worse most people use 4 digit pin codes at their bank, so that's the most likely scenario.

When a user selects a 4 digit pin; a rogue employee at Foxmarks could crack all their passwords in a few minutes by a brute force attack. I'm not saying there's a rogue employee at Foxmarks, just that it's a good idea to plan for it, like LastPass has.

I've never tried foxmarks, so hopefully I'm missing something here.

Joe Siegrist
[lastpass.com]

Joe@LastPass.com

First, keep in mind that they (and every other plugin installed in your browser) ALREADY have access to any password you have stored in Firefox if they really want to get at it (assuming your passwords are not protected by a master password as is the case for most people).

Second, the only way this should even be considered is if the resulting data containing your passwords is sent to their system as an encrypted file and only unencrypted at the user side of the connection.

forsure