Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says (bleepingcomputer.com) 65
Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."
On Mac, the default Firefox behavior is now to use the system keychain (although that used to require an add-on). On Gnome (Linux) I believe you can do the same thing with Gnome’s keychain manager. And certainly tools like LastPass will integrate with the browser.
Don’t get me wrong - Firefox should fix this. But you don’t need to rely on their built-in password vault.
There's good reason to not use the Windows one. Personally I don't want the FF master password to be blown away by domain admin password reset.
link for this add-on? Firefox Quantum doesn't interact with the Mac OS Keychain, and the old add-on is incompatible with Quantum.
You're right. While Firefox was my main browser for a long time, I mostly stopped using it a few years ago - I didn't think about the fact that their recent Quantum reboot basically killed off most of their add-ons (even those they'd started including by default).
It also killed off support of the Gnome keyring.
Another reason I'm glad I moved on...
It is worth noting that Firefox's Extended Support Release (ESR) channel [mozilla.org] is still using the previous engine (version 52), and supports all the "old" add-ons.
If you're not already on ESR, it might be worth moving over there while you evaluate whether it makes any sense to continue being a Firefox user.
PCI-DSS allows SSL traffic to be monitored.
Actually it probably forbids SSL, as it's an old, weak encryption standard. TLS is where it's at now.
SSL no, TLS yes, monitoring yes, logging no (Score:2)
You are correct, SSL is a PCI fail. As is TLS 1.0. TLS 1.1 is frowned upon but it won't make you fail PCI.
Real-time analysis of TLS traffic is okay. GP said it was LOGGED. That's probably a fail, because the logs probably aren't secured enough.
Last time I looked at the Firefox password storage, it was entirely in process, so a compromise of one tab could dump your entire password store. In contrast, the macOS keychain daemon is a separate process and the browser must request each password individually. In Safari (and, I think, Chrome), this is done by the parent process of the renderer processes, which also checks the domain associated with the renderer. If you compromise a tab, you can request all credentials associated with that domain. If
I never have used any password manager. Just the name should be sufficient to scare you off.
What this means? (Score:2, Informative)
So just to be clear.
You'd still need to brute force crack one the hard way, with no rainbow tables, or finding a hash collision, but once you find one, you know the master password for all.
The problem is "hard way" is an incorrect description.... the SHA1 hash algorithm is not computationally expensive, as it is not intended for deriving a a key from a password in order to "stretch" the key strength and protect the password.
Brute forcing the password protected by only SHA1 is an _easy_ process and can be GPU accelerated to approximately 8.5 Billion hash ops per second on a GTX 1080, and a reference system with 8 of the nVIDIA GPUs can do SHA1 brute forcing at
Yeah it least it's password manager doesn't involve uploading it as clear text to Google's servers like Chrome's does
1) Using SHA-1 in this day and age; and
There is nothing wrong with use of SHA-1 in this context based on publically available information about shortcomings of SHA-1.
In fact, even MD5 hasn't been broken for this use case. Pre-image attacks are very hard to pull off.
In this context, the SHA-1 hash only has one iteration.
In 2010, it only cost $2.10 to crack a 6 char password in an EC2 instance.
https://www.geek.com/news/rese... [geek.com]
Since then hardware has become much faster. Today's GPU's can do several billion hashes per second.
There have also been more advances made in brute forcing SHA-1
https://nakedsecurity.sophos.c... [sophos.com]
Cleartext attack / Password reuse (Score:2)
But Firefox isn't using SHA-1 as a password hash; it's being used to generate deterministic noise for generating an encryption key, at which point the hash is thrown away. So if you generate billions of hashes that won't help you because you don't have the original hash to compare against.
Until you find a situation where you at least know 1 password stored in a database (stolen through other channels - e.g.: one of the webserver database leaks mentionned regularily on haveibeenpwnd.com) or rely on password reuse (there's bound to be at lest 2x the same entry over the whole password data base).
At that point, the idea is to brute force the master password, until either two entries decrypts to the same content or until at one entry in the data base matches the 1 clear password you know.
Tinfoil suspect level 10000 (Score:2)
Correct me if i'm wrong. But shouldn't a main stream browser like firefox be using something that actually could be considered even remotely secure for the mother password of all your other passwords? It sounds almost intentional, if not exceedingly negligent. And after nine years and it's now only coming to light? Something doesn't sound right.
Firefox and its support for passwords?
Users like an OS/browser filling in their most enjoyed sites so they can get to content without having to enter in a lot of different passwords every day.
Thats a lot of trust.
Golden rule (Score:2)
More accurate Golden rule for tech security is this: If it makes your tech life convenient, then it is NOT secure.
And thus . . . (Score:2)
why I never save my passwords in any browser.
Yet another overblown claim, again (Score:5, Insightful)
So what? Yes, SHA-1 is a bit dated and is definitely not future-proof, but so far only second image type of attack has been shown for it (and it took immense amount of computational resources), and reversing is still not practically possible. Heck, even MD5 would be sort of OK for personal use (no one keeps, or, is ought to keep, top-secret passwords in browser anyway).
The fact that Firefox still uses SHA-1 just means that it's time (OK, it's time for 2—8 years already) to move to more secure hashes, nothing more.
Is it a remote exploit? (Score:4, Funny)
More likely to be used by roommates, spouses and cohabitating couples than by Russian hackers.
Is the fix to this vulnerability to get a slower machine?
Amplification schemes are worth much (Score:5, Insightful)
Exponents protect secrets.
Factors are window dressing designed to make things look nice.
I personally think everyone should use amplification because it really does make guessing more difficult with no substantive downsides.
Yet at the same time to conclude failure to use amplification means "poorly secured" is comically wrong.
The fact operations are repeated thousands of times over always elicits those who bring up obvious point really takes x times more resources to obtain a result.
Yet it is not so clear what the relevance is. So what if it takes a day vs a few minutes or months vs few hours or the difference between doing it yourself vs farming the job out to thousands or millions of processors?
At the end of the day calculus is not significantly changed regardless of whether amplification is used or not.
1. Those with low entropy keys should be worried.
2. Those with high entropy keys are better off finding something else to worry about.
The more bits you add to the search space more worthless amplification schemes look in comparison.
And what is the problem with that? (Score:5, Interesting)
SHA1 is not broken for this use. If the password is weak, you could brute-force it, sure. But then the user already has a problem. If the password is strong, then this is perfectly secure. Of course, using Argon 2 would be better, bit if the password is really weak, that can only do so much to make it more secure.
Oh noes! (Score:1)
While SHA1 is dated, yes, it's still better than let's say Pidgin - which stores all passwords plaintext inside the account XML file.
I'm sure lots of people that use it have it connected with their google account as well. (Insecure accounts boo hiss enabled and all that guff)
Don't store critical data in browsers (Score:2)
Browsers are the front line application that is the first to be hit by any malicious software out there. That means it should be considered the LEAST secure, and treated accordingly.
Having a password manager is good, but it HAS to be kept external to the browser, so if the browser is compromised (or it does something moronic like autofilling fake login forms), then it can't compromise sensitive data along with it.
