Current Version plugins

Firefox's Password Manager has a flaw, but it will be fixed

You may save passwords in the Mozilla Firefox web browser; the functionality is enabled by default, and you are prompted to do so when Firefox recognizes that you typed a username and password to sign in.

Firefox users may enable a master password to protect the passwords with encryption so that local actors may not just access the password database. You control password storage on about:preferences#privacy.

If you don’t want Firefox to save passwords, you just uncheck “Remember logins and passwords for websites” and that is that. To set up a master password, check the box “use a master password” and follow the wizard to make use of encryption to save your passwords.

firefox master password

Adblock Plus mastermind Wladimir Palant analyzed Firefox’s master password code recently and discovered that the master password implementation in Firefox and other products that share code with Firefox such as Thunderbird, has a weakness.

However, when I looked into the source code, I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here.

While Firefox’s implementation is speedy, it at the same time makes brute forcing the master password speedy as well. Palant suggests that attackers could compute up to 8.5 billion SHA-1 hashes per second using a single Nvidia GTX 1080 video card and that it would take about a minute to crack average master passwords because of that.

While stronger passwords would extend the time it takes to attack the master password, attackers with enough time or resources would eventually be able to crack most master passwords that are in use.

The master password does protect against unsophisticated attempts to access the password database, however.

A bug was added to Mozilla’s Bugzilla website nine years ago that highlighted the issue. Justin Dolske’s suggestion back then was to increase the iteration count to increase the time it takes to run brute force attacks against the master password of Firefox.

A higher iteration count would make this more resistant to brute forcing (by increasing the cost of testing password), the PKCS#5 spec suggests a “modest value” of 1000 iterations. And that was 10 years ago. 🙂

Palant posted a message to the bug which revived it from limbo. Several Mozilla employees and developers replied, and it looks as if the issue will be handled after all.

Robert Relyea suggested to change the iteration count to address the issue. This would improve the security of the master password without affecting stored passwords in the database.

Mozilla launched an alpha of Lockbox, a new password manager for Firefox, recently. The organization released the alpha as a browser extension for testing purposes but Lockbox could replace the default password manager of the Firefox browser eventually.

One core difference between the current password manager of Firefox and Lockbox is the reliance on a Firefox account of the latter.

Closing Words

So, what should you do if you use Firefox’s default password manager and have set up a master password? Most Firefox users probably don’t have to worry about the issue as they won’t encounter situations where someone will brute force the master password.

Those concerned about the issue may increase the length of the master password or switch to a different password manager for the meantime.

My personal favorite is KeePass, a desktop password manager, but you can use online solutions such as LastPass as well if you need easier syncing.

Now You: Do you use Firefox’s password manager? (via Bleeping Computer)

Related articles

Ghacks needs you. You can find out how to support us here or support the site directly by becoming a Patreon. Thank you for being a Ghacks reader. The post Firefox’s Password Manager has a flaw, but it will be fixed appeared first on gHacks Technology News.


Leave a Comment

Your email address will not be published. Required fields are marked *

Menu Title