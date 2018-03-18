Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says (bleepingcomputer.com) 19
Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."
Sounds ok so far. (Score:1)
Third-party for the win (Score:2)
On Mac, the default Firefox behavior is now to use the system keychain (although that used to require an add-on). On Gnome (Linux) I believe you can do the same thing with Gnome’s keychain manager. And certainly tools like LastPass will integrate with the browser.
Don’t get me wrong - Firefox should fix this. But you don’t need to rely on their built-in password vault.
Re: (Score:2)
link for this add-on? Firefox Quantum doesn't interact with the Mac OS Keychain, and the old add-on is incompatible with Quantum.
What this means? (Score:1)
So just to be clear.
You'd still need to brute force crack one the hard way, with no rainbow tables, or finding a hash collision, but once you find one, you know the master password for all.
Tinfoil suspect level 10000 (Score:2)
Correct me if i'm wrong. But shouldn't a main stream browser like firefox be using something that actually could be considered even remotely secure for the mother password of all your other passwords? It sounds almost intentional, if not exceedingly negligent. And after nine years and it's now only coming to light? Something doesn't sound right.
Golden rule (Score:2)
And thus . . . (Score:2)
why I never save my passwords in any browser.
Yet another overblown claim, again (Score:1)
So what? Yes, SHA-1 is a bit dated and is definitely not future-proof, but so far only second image type of attack has been shown for it (and it took immense amount of computational resources), and reversing is still not practically possible. Heck, even MD5 would be sort of OK for personal use (no one keeps, or, is ought to keep, top-secret passwords in browser anyway).
The fact that Firefox still uses SHA-1 just means that it's time (OK, it's time for 2—8 years already) to move to more secure hashes,