Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says

Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."

Sounds ok so far.

[SDFanboy]

See subject.

Third-party for the win

[93+Escort+Wagon]

On Mac, the default Firefox behavior is now to use the system keychain (although that used to require an add-on). On Gnome (Linux) I believe you can do the same thing with Gnome’s keychain manager. And certainly tools like LastPass will integrate with the browser.

Don’t get me wrong - Firefox should fix this. But you don’t need to rely on their built-in password vault.

Re:Third-party for the win

Isn't this because Mac OS and Linux both have (sane) OS level keychains, while on Windows there isn't really an OS level one to use, forcing Firefox and others to roll their own?

Looking it up, Mac OS has had a proper keychain since OS8.

Re: Third-party for the win

Windows has a proper one. Firefox rolls their own shit for some reason

Re: Third-party for the win

There's good reason to not use the Windows one. Personally I don't want the FF master password to be blown away by domain admin password reset.

Re:Third-party for the win

[beckett]

On Mac, the default Firefox behavior is now to use the system keychain (although that used to require an add-on)

link for this add-on? Firefox Quantum doesn't interact with the Mac OS Keychain, and the old add-on is incompatible with Quantum.

Re:Third-party for the win

[93+Escort+Wagon]

You're right. While Firefox was my main browser for a long time, I mostly stopped using it a few years ago - I didn't think about the fact that their recent Quantum reboot basically killed off most of their add-ons (even those they'd started including by default).

It also killed off support of the Gnome keyring.

Another reason I'm glad I moved on...

Re:Third-party for the win

[93+Escort+Wagon]

It is worth noting that Firefox's Extended Support Release (ESR) channel is still using the previous engine (version 52), and supports all the "old" add-ons.

If you're not already on ESR, it might be worth moving over there while you evaluate whether it makes any sense to continue being a Firefox user.

Re:Third-party for the win

I think that the fact that they keep their security creds separate as opposed to relying on the OS is a good thing. One place I worked at, I found they were doing a stealth MITM with all traffic heading through an appliance, where the workplace denied it. Had I not noticed the MITM appliance's root key being foisted on me in Firefox and let people know, it likely would have resulted in a breach, since the SSL traffic was not supposed to be logged, due to PCI-DSS rules.

This doesn't mean they get a free pass on piss-poor security. Encrypting stuff in a DB is pretty trivial, and doing it right takes almost the same amount of effort as doing it wrong.

Re:Third-party for the win

[viperidaenz]

PCI-DSS allows SSL traffic to be monitored.

Actually it probably forbids SSL, as it's an old, weak encryption standard. TLS is where it's at now.

Re:Third-party for the win

Caught in a lie.

You stopped using it a few years ago but claim it now uses the Keychain as the default? My advice to you is to stop commenting on things you know little to nothing about.

Re:Third-party for the win

Makes me glad that I've never used a browser's password manager. Always 3rd-party (currently Keepass). Works well for all websites except Amtrak (which refuses to allow pasting a password into the field - requires manual entry).

Re:Third-party for the win

[ls671]

I never have used any password manager. Just the name should be sufficient to scare you off.

Re:Third-party for the win

[EelcoV]

MacOS using the system keychain? I wish it were true. But it isn't. See bug 106400 [https://bugzilla.mozilla.org/show_bug.cgi?id=106400].

Re: Third-party for the win

But who is getting copies of the Windows keychain passwords? Local admins, domain admins, Microsoft, Microsoft's customers?

Re:Third-party for the win

[TheRaven64]

What's the Linux one? Android has secure credentials storage, but I've not seen anything standard on other *NIX systems. The Mac / iOS one is built on Mach IPC and so can implement very fine-grained access control (e.g. set per-application access to each item and require you to re-authorise an application if its binary or shared library dependencies change). Windows provides primitives for this (and has for the entire NT series) but I don't know if anyone has used them to build a sensible credentials manager (MS appears to have added one in 8.1, but I didn't look in any detail).

Re:Third-party for the win

[TheRaven64]

Last time I looked at the Firefox password storage, it was entirely in process, so a compromise of one tab could dump your entire password store. In contrast, the macOS keychain daemon is a separate process and the browser must request each password individually. In Safari (and, I think, Chrome), this is done by the parent process of the renderer processes, which also checks the domain associated with the renderer. If you compromise a tab, you can request all credentials associated with that domain. If you navigate to another domain, you will (usually) get a new renderer process, which should not inherit the compromise.

Rolling your own security when the OS provides the required functionality is almost always the wrong choice, unless you're employing better security engineers than the OS vendor. In Mozilla's case, this isn't true. Apple, Google, and Microsoft all shipped browsers that were split into multiple sandboxed processes before Mozilla, which managed to take almost 10 years between the first mainstream web browser adopting this model and Firefox doing the same.

Re:Third-party for the win

There are cases where you want to roll your own security, even if it is relatively pathetic. For example, an iOS app I am looking at writing uses its own OpenSSL libraries to encrypt backups that go to iCloud if the user wants a second layer of protection from the OS. This is to provide protection in case the OS encryption is bypassed by some utility. My implementation, if I do it properly, should provide a decent, secondary barrier to attack.

The OS may be trustworthy, but might as well pack your own parachute. Same reason why I use VeraCrypt instead of BitLocker, as VeraCrypt has far smaller an attack surface than an OS, and fewer people/governments which have control over the utility.

Re:Third-party for the win

Using a password store is just asking for trouble. Better a forgotten password than all accounts get hacked.

What this means?

So just to be clear.

You'd still need to brute force crack one the hard way, with no rainbow tables, or finding a hash collision, but once you find one, you know the master password for all.

Re: What this means?

Yep, this isnâ(TM)t anything out of the ordinary. You could generate a strong salt randomly and protect access to the DB with the master password but thereâ(TM)s nothing inherently better in that, except maybe you could argue you donâ(TM)t know any of the salt where as currently implemented you know part of it.

Re:What this means?

[mysidia]

The problem is "hard way" is an incorrect description.... the SHA1 hash algorithm is not computationally expensive, as it is not intended for deriving a a key from a password in order to "stretch" the key strength and protect the password.

Brute forcing the password protected by only SHA1 is an _easy_ process and can be GPU accelerated to approximately 8.5 Billion hash ops per second on a GTX 1080, and a reference system with 8 of the nVIDIA GPUs can do SHA1 brute forcing at
  68 Billion SHA1 passwords per second with Hashcat.

Re:What this means?

8 GTX 1080 brute force

68 Billion SHA1 passwords per second with Hashcat.

Let's say 37 bits (of entropy, counting from 1) per second. At about 7 bits of entropy per character - upper and lower case, numbers, some characters - this is about 32*128^N for the number of characters in the password (I've assumed that N is at least 6). That's about 8.6 billion seconds for a 10 character password, and 0.14 trillion seconds for a 12 character password. I suspect they have a longer password.

Re:What this means?

about 8.6 billion seconds for a 10 character password,

Isn't 8.6 billion seconds equal to 272.7 years? You mean 272 years for a 10 char passwd? I don't even think I will reach 72 years old, let alone 272.

Re:What this means?

I think your math is incorrect somewhere. I see about 93 characters in mix, upper + lower (52), numbers (10), other printable characters (31) on a standard pc108.

So the max permutations of those in a 10 character password is 93^10 = 48398230717929318249
at 68 billion hashes per second that is only about 11 years (22 if they have to go hash them all) before colliding.
93^10/2/68000000000/86400/365

Guessing for the majority of people it's really only 72 in the mix (52 + 10 + the 10 chars above the numbers) which
drops it down to about 1 year (323ish days). The good news is moving up to 11 characters pushes even 72 chars into the 60 year range or so.

So the moral of the story is, use at least 12 chars (about 4.5k years) and you are good for the next millenium or so against straight up brute force. Though in reality advances in computers will bring that down quicker, but still reasonable protection for the time being.

Just say no

Considering the security track record and huge attack surface of the modern web browser, you'd be certifiably insane to use one as a password manager.

Firefox sucks, say it isn't so.

Of course, bleepingcomputer says so, extremely poorly. Par for the course.

I blame msmash, who tries to be a hacker by writing stupid stuff on slashdot.

Re: Firefox sucks, say it isn't so.

[Carewolf]

Yeah it least it's password manager doesn't involve uploading it as clear text to Google's servers like Chrome's does

Re: Firefox sucks, say it isn't so.

Source?

Re: Firefox sucks, say it isn't so.

[Carewolf]

Source?

Chromium source code. It is open source.

It is also the only way it can work, since they don't control the validation mechanism of all the websites they are storing websites for they can't store a hash which is the usual strategy, so they have to have a full clear-text password for the password syncing to work. Additionally you can go to their service and SEE the passwords store, again demonstrating that Google has them in full clear-text.

Ok, so the problems here are:

1) Using SHA-1 in this day and age; and

2) Using only one (guessing; cbf reading the article) hash round (compare to PBKDF2, which uses an arbitrarily-specifiable number, but usually over a few thousand, from memory)

Also: how long is the salt value?

Re:Ok, so the problems here are:

[WaffleMonster]

1) Using SHA-1 in this day and age; and

There is nothing wrong with use of SHA-1 in this context based on publically available information about shortcomings of SHA-1.

Re:Ok, so the problems here are:

[EMN13]

In fact, even MD5 hasn't been broken for this use case. Pre-image attacks are very hard to pull off.

Re:Ok, so the problems here are:

[viperidaenz]

In this context, the SHA-1 hash only has one iteration.
In 2010, it only cost $2.10 to crack a 6 char password in an EC2 instance.
https://www.geek.com/news/rese...
Since then hardware has become much faster. Today's GPU's can do several billion hashes per second.
There have also been more advances made in brute forcing SHA-1
https://nakedsecurity.sophos.c...

Re:Ok, so the problems here are:

But what does the iteration count have to do with this context? That's relevant when you're storing passwords as salted hashes. But Firefox isn't using SHA-1 as a password hash; it's being used to generate deterministic noise for generating an encryption key, at which point the hash is thrown away. So if you generate billions of hashes that won't help you because you don't have the original hash to compare against.

Tinfoil suspect level 10000

[kaptink]

Correct me if i'm wrong. But shouldn't a main stream browser like firefox be using something that actually could be considered even remotely secure for the mother password of all your other passwords? It sounds almost intentional, if not exceedingly negligent. And after nine years and it's now only coming to light? Something doesn't sound right.

Re:Tinfoil suspect level 10000

The mainstream is what brought us PKI and a list of 650-odd blessed rootCAs. You were saying?

Re:Tinfoil suspect level 10000

Uh, first you need direct physical access to the machine or equivalent pwn. Then you need to successfully brute force the PW, which may be weak or not depending on level of actual security concern by user_x.
Sure, could everything in the world be more secure, yes, but what actual threat model are you trying to prevent against? Evil maid with brute force skills also? It's unlikely they'd get in this way if wanting in.

Re:Tinfoil suspect level 10000

That evil maid could just install a keylogger and get all your passwords, not just the ones saved in firefox.

Re:Tinfoil suspect level 10000

[AHuxley]

Safari and the support and quality of Mac OS?
Firefox and its support for passwords?
Users like an OS/browser filling in their most enjoyed sites so they can get to content without having to enter in a lot of different passwords every day.
Thats a lot of trust.

Re:Tinfoil suspect level 10000

[arglebargle_xiv]

They would have fixed it years, but they were all occupied making Firefox look like a crap copy of Chrome and adding "features" no-one ever asked for or wanted.

Re:Tinfoil suspect level 10000

Any malware can grab the hashed password, then send it home where his master would analyze and brute force it for fun and profit. No physical access needed.

Re: Tinfoil suspect level 10000

[Carewolf]

Any malware might as well install a keylogger then. You are assuming a compromised machine to argue it is compromised by this.

Golden rule

[fluffernutter]

The golden rule of technology: Just because you can do it doesn't mean you should. This means more today than ever.

Re:Golden rule

More accurate Golden rule for tech security is this: If it makes your tech life convenient, then it is NOT secure.

Re:Golden rule

Better phrased as, "security is always opposed to usability," or "security and usability are inversely proportional."

For really secure computing, there's nothing like my Mark I Brick.

And thus . . .

[quonset]

why I never save my passwords in any browser.

Re:And thus . . .

Fair enough. But what is your password strategy? KeePass? Sticky notes? Eidetic memory?

Re: And thus . . .

What's wrong with keepass? KISS, cross platform, small footprint, version control.... I don't have any complains.Hell I even trust the aecurity

Well, yeah?

Browser password managers are AWFUL and were never any good.

Yet another overblown claim, again

[eSyr]

So what? Yes, SHA-1 is a bit dated and is definitely not future-proof, but so far only second image type of attack has been shown for it (and it took immense amount of computational resources), and reversing is still not practically possible. Heck, even MD5 would be sort of OK for personal use (no one keeps, or, is ought to keep, top-secret passwords in browser anyway).

The fact that Firefox still uses SHA-1 just means that it's time (OK, it's time for 2—8 years already) to move to more secure hashes, nothing more.

Re:Yet another overblown claim, again

The claim is "blown" the correct amount. A single round of SHA-1 as the key derivation function makes it incredibly easy (inexpensive) to brute force the master password. Dropping in a more modern secure hash like SHA-256 won't fix this type of problem, it needs to use a key derivation function that is designed to be computationally expensive.
Like argon2, scrypt, bcrypt.
MD5 sucks and is not sort of OK for personal use.

Re:Yet another overblown claim, again

You are misunderstanding the attack, and it sucks that the post has been modded up to 5.

The problem is not the security of SHA-1. The problem is the SPEED of SHA-1 -- it is way too fast to generate SHA-1 hashes on modern hardware. Moving to a more cryptographically secure hash would NOT solve the problem and could make it worse, as some secure hashes are even faster.

Re:Yet another overblown claim, again

Or just make it 10,000 rounds of SHA1 and not just 1. I have seen some ransomware doing 10,000 or 20,000 rounds of sha1 or md5.

Re:Yet another overblown claim, again

You're arguing about the constant hidden in the big-O, here, when the only thing which makes brute-forcing possible is choosing a weak password.

So the fix should be both moving to a stronger hash and preventing people from choosing weak passwords. This unfortunately is probably shooting yourself in the foot with respect to user experience, because many people want to be able to use weak passwords, because they don't care (either in an informed or uninformed way).

Possibly a compromise would be to give the user an upper-bound on the time required to brute-force his chosen password on typical consumer hardware, and let him decide. This is not trivial, because it requires matching versus known dictionaries, etc.; in fact, it might not even be reasonable to try to compute that bound with reasonable accuracy.

Is it a remote exploit?

[140Mandak262Jamuna]

It looks more like someone with access to your machine, can write a script to brute force and find the master password and unlock all remaining passwords.

More likely to be used by roommates, spouses and cohabitating couples than by Russian hackers.

Re:Is it a remote exploit?

[jimbolauski]

Is the fix to this vulnerability to get a slower machine?

Re:Is it a remote exploit?

More likely to be used by roommates, spouses and cohabitating couples than by Russian hackers.

I cohabitate with Russian hackers, you insensitive clod!

Amplification schemes are worth much

[WaffleMonster]

Exponents protect secrets.
Factors are window dressing designed to make things look nice.

I personally think everyone should use amplification because it really does make guessing more difficult with no substantive downsides.

Yet at the same time to conclude failure to use amplification means "poorly secured" is comically wrong.

The fact operations are repeated thousands of times over always elicits those who bring up obvious point really takes x times more resources to obtain a result.

Yet it is not so clear what the relevance is. So what if it takes a day vs a few minutes or months vs few hours or the difference between doing it yourself vs farming the job out to thousands or millions of processors?

At the end of the day calculus is not significantly changed regardless of whether amplification is used or not.

1. Those with low entropy keys should be worried.

2. Those with high entropy keys are better off finding something else to worry about.

The more bits you add to the search space more worthless amplification schemes look in comparison.

More stupid things with TB security:

the only thing encrypted is the password. What email accounts you have, user names, subjects, recipients and contacts you send to are all unencrypted and readable. Only the password is encrypted... It's ridiculously bad.

master password

> using a master password in *any* browser

whew lad

And what is the problem with that?

[gweihir]

SHA1 is not broken for this use. If the password is weak, you could brute-force it, sure. But then the user already has a problem. If the password is strong, then this is perfectly secure. Of course, using Argon 2 would be better, bit if the password is really weak, that can only do so much to make it more secure.

Re:And what is the problem with that?

Sure, as long as you define "weak" to be "less than 10 random characters, or less than about 5 dictionary words".

Practically no one has a password strong enough to not be vulnerable to inverse SHA-1.

Once again, poor results, sensationalism

Ok - if someone has access to your machine, it's game over anyway. Brute forcing a password on a machine like this would require you to make your actions known to the user. Now, let's say you copied the stuff somewhere. It still takes time and effort. Bottom line, physical security is key. This is NOT an online attack vector. This is just some researcher reporting that the hashing is not secure and didn't bother to check the context for the problem. This is like saying that the hashing algorithm for local passwords is insecure because they can be brute forced. You're already at the physical system. Of course it can. That's why you use full disk encryption. Firefox local passwords being encrypted are a nice-to-have.

Cleartext attack / Password reuse

[DrYak]

But Firefox isn't using SHA-1 as a password hash; it's being used to generate deterministic noise for generating an encryption key, at which point the hash is thrown away. So if you generate billions of hashes that won't help you because you don't have the original hash to compare against.

Until you find a situation where you at least know 1 password stored in a database (stolen through other channels - e.g.: one of the webserver database leaks mentionned regularily on haveibeenpwnd.com) or rely on password reuse (there's bound to be at lest 2x the same entry over the whole password data base).

At that point, the idea is to brute force the master password, until either two entries decrypts to the same content or until at one entry in the data base matches the 1 clear password you know.

Of course it's much slower (every single entry in the database uses a different salt, so you need to iterate over the whole database every single time for every iteration of the brute force attack), so it's definitely not the situation of "brute force a 6 characters password for 2 dollars on EC2", but it's still within the realm of possibilities.

Oh noes!

While SHA1 is dated, yes, it's still better than let's say Pidgin - which stores all passwords plaintext inside the account XML file.
I'm sure lots of people that use it have it connected with their google account as well. (Insecure accounts boo hiss enabled and all that guff)

SSL no, TLS yes, monitoring yes, logging no

[raymorris]

You are correct, SSL is a PCI fail. As is TLS 1.0. TLS 1.1 is frowned upon but it won't make you fail PCI.

Real-time analysis of TLS traffic is okay. GP said it was LOGGED. That's probably a fail, because the logs probably aren't secured enough.

Master password better than nothing,

but I still figured I'd use a separate password manager just because I figured the FF one would be a bigger target.

Don't store critical data in browsers

[ilsaloving]

Browsers are the front line application that is the first to be hit by any malicious software out there. That means it should be considered the LEAST secure, and treated accordingly.

Having a password manager is good, but it HAS to be kept external to the browser, so if the browser is compromised (or it does something moronic like autofilling fake login forms), then it can't compromise sensitive data along with it.

There are plenty of them out there, from 1Password to LastPass, it's just a matter of education and encouraging people to use these tools.

Sounds good

[OrangeTide]

So I shouldn't let people have access to my computer?

retcon superpowers

[epine]

But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced.

To support the article title, the logically necessary claim is that it was easy to brute force nine years ago.

Not that I would expect a security researcher able to improve on SHA1 to be pedantic about these kinds of "minor" details.