For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature.
Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client.
Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer.
But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced.
Master password encryption uses low SHA1 iteration count
"I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."
"Anybody who ever designed a login function on a website will likely see the red flag here," Palant says.
The flag Palant is referring to is the fact that the SHA-1 function has an iteration count of 1, meaning it's applied just once, while industry practices regard 10,000 as a solid minimum for this value, while applications like LastPass use values of 100,000.
This low iteration count makes it incredibly easy for an attacker to brute-force the master password and later decrypt the encrypted passwords stored inside the Firefox or Thunderbird databases.
Palant points to recent advances in GPU card technologies that now allow attackers to brute-force simplistic master passwords in under a minute.
Issue first reported nine years ago
But Palant wasn't the first to notice such weakness. A Mozilla bug tracker entry by Justin Dolske from nine years ago reported the same issue, soon after the master password feature's launch.
Dolske also pointed to the low iteration count of 1 as the master password's main problem. But despite the report, Mozilla did not take any official action for years.
It was only until this past week when Palant reanimated the original bug report that Mozilla finally provided an official answer, suggesting this would be fixed with the launch of Firefox's new password manager component —currently codenamed Lockbox and available as an extension.
Using a master password is much better than the alternative of not using one. For the time being, choosing longer and more complex master passwords mitigates the feature's inherent weak encryption scheme. Users who want to be sure nobody can touch their web passwords should use a third-party password manager application.
The optimum solution, according to Palant, would be if Mozilla engineers would employ the Argon2 library for hashing passwords instead of SHA1.
Comments
LwnOEukX-r1 - 5 days ago
I used this function for a couple years. With a 50-character password, but still, this is bonkers, pants-on-head stupid.
Is there a way to increase the iterations, maybe via an about:config entry? The alpha Lockbox add-on does no one any good at the moment.
SuperSapien64 - 5 days ago
This is why I use Keepass2 as my password manager.
LwnOEukX-r1 - 4 days ago
I also use KeePass 2.x, and used it to generate the 50-char password. But still, this is such a badly overlooked issue I am surprised no one has really made a stink about it until now. Forget increasing Quantums' rollout or improvements, this is more serious.
SuperSapien64 - 4 days ago
Regardless theres no excuse for Mozilla to ignore this issue for so long.
the_moss_666 - 5 days ago
This is negligence. But still, passwords were not less secure than without master password (password is susceptible to classic, a little bit slower bruteforce). At least there it uses SALT to prevent dictionary attacks. Main purpose of master password is remembering one strong to very strong password instead ov many average or weak passwords without needing third party solution.
Mozilla, please, fix it...
CyberShadow - 4 days ago
With a 50-character password, you should be OK (unless it was 50 'a's or such).
Each character added to the password roughly corresponds to 2 digits of a hash function's iteration count. I.e. a strong 50-character password with a hash iteration count of 1 roughly corresponds to a strong 47-character password with a hash iteration count of 1'000'000.
(Explanation: considering an alphabet corresponding of printable ASCII characters, each character makes the password 96 times more difficult to crack. The hash iteration count affects the difficulty directly, and 96 is pretty close to 100.)
ChaNicolsen - 5 days ago
Then I'd better use a password manager browser extension. Any recommendation?
victor_vhv - 5 days ago
I was a Lastpass user, but after concerns about their infrastructure (news about hacks and/or vulnerabilities) I switched to enpass.
Sisyphe - 5 days ago
I made Clavem for my personal use half a year ago and use it for all my passwords since.
It will generate the same password for any triplet of user + website + password.
So there is no need for the generated password to be stored anywhere.
Enter the same triplet again and you will retrieve your password.
Your password is never stored anywhere. Feel free to review the source code, it's open source.
I just hope it will be useful to other than me ;)
Website: https://clavem.gitlab.io/
Source: https://gitlab.com/clavem/clavem.gitlab.io
Firefox addon: https://addons.mozilla.org/en-US/firefox/addon/clavem/
Android app: https://gitlab.com/clavem/clavem.gitlab.io/-/jobs/artifacts/master/download?job=android
Chrome/Firefox addon: https://gitlab.com/clavem/clavem.gitlab.io/-/jobs/artifacts/master/download?job=firefox
CLI: https://www.npmjs.com/package/clavem-cli
Plink0Plonk - 5 days ago
Used it only for direct access to my computer e.g. at work. If someone needs something from my machine and opens my default browser, going to site X doesn't automatically log her/him in with my account, or going into to the settings doesn't directly reveal all passwords.
Switched to Bitwarden, still using MP for other data/sync, connected devices, etc.
palant - 5 days ago
The article is wrong in one point: there was no "official answer" suggesting that Lockbox would be the solution. It's merely a Mozillian thinking out loud. Yet Lockbox security is currently tied to security of Firefox Accounts which has its own issues (see https://palant.de/2018/03/13/can-chrome-sync-or-firefox-sync-be-trusted-with-sensitive-data). With Robert Relyea there is somebody commenting in that bug who actually seems to have experience with NSS and he wants to increase the iteration count.