Firefox Master Password System Has Been Poorly Secured for the Past 9 Years, Researcher Says

Catalin Cimpanu, writing for BleepingComputer: For at past nine years, Mozilla has been using an insufficiently strong encryption mechanism for the "master password" feature. Both Firefox and Thunderbird allow users to set up a "master password" through their settings panel. This master password plays the role of an encryption key that is used to encrypt each password string the user saves in his browser or email client. Experts have lauded the feature because up until that point browsers would store passwords locally in cleartext, leaving them vulnerable to malware or attackers with physical access to a victim's computer. But Wladimir Palant, the author of the AdBlock Plus extension, says the encryption scheme used by the master password feature is weak and can be easily brute-forced. "I looked into the source code," Palant says, "I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password."

Third-party for the win

[93+Escort+Wagon]

On Mac, the default Firefox behavior is now to use the system keychain (although that used to require an add-on). On Gnome (Linux) I believe you can do the same thing with Gnome’s keychain manager. And certainly tools like LastPass will integrate with the browser.

Don’t get me wrong - Firefox should fix this. But you don’t need to rely on their built-in password vault.

Re: Third-party for the win

There's good reason to not use the Windows one. Personally I don't want the FF master password to be blown away by domain admin password reset.

Re:Third-party for the win

[93+Escort+Wagon]

You're right. While Firefox was my main browser for a long time, I mostly stopped using it a few years ago - I didn't think about the fact that their recent Quantum reboot basically killed off most of their add-ons (even those they'd started including by default).

It also killed off support of the Gnome keyring.

Another reason I'm glad I moved on...

Re:Third-party for the win

[93+Escort+Wagon]

It is worth noting that Firefox's Extended Support Release (ESR) channel is still using the previous engine (version 52), and supports all the "old" add-ons.

If you're not already on ESR, it might be worth moving over there while you evaluate whether it makes any sense to continue being a Firefox user.

What this means?

So just to be clear.

You'd still need to brute force crack one the hard way, with no rainbow tables, or finding a hash collision, but once you find one, you know the master password for all.

Yet another overblown claim, again

[eSyr]

So what? Yes, SHA-1 is a bit dated and is definitely not future-proof, but so far only second image type of attack has been shown for it (and it took immense amount of computational resources), and reversing is still not practically possible. Heck, even MD5 would be sort of OK for personal use (no one keeps, or, is ought to keep, top-secret passwords in browser anyway).

The fact that Firefox still uses SHA-1 just means that it's time (OK, it's time for 2—8 years already) to move to more secure hashes, nothing more.

Is it a remote exploit?

[140Mandak262Jamuna]

It looks more like someone with access to your machine, can write a script to brute force and find the master password and unlock all remaining passwords.

More likely to be used by roommates, spouses and cohabitating couples than by Russian hackers.

Amplification schemes are worth much

[WaffleMonster]

Exponents protect secrets.
Factors are window dressing designed to make things look nice.

I personally think everyone should use amplification because it really does make guessing more difficult with no substantive downsides.

Yet at the same time to conclude failure to use amplification means "poorly secured" is comically wrong.

The fact operations are repeated thousands of times over always elicits those who bring up obvious point really takes x times more resources to obtain a result.

Yet it is not so clear what the relevance is. So what if it takes a day vs a few minutes or months vs few hours or the difference between doing it yourself vs farming the job out to thousands or millions of processors?

At the end of the day calculus is not significantly changed regardless of whether amplification is used or not.

1. Those with low entropy keys should be worried.

2. Those with high entropy keys are better off finding something else to worry about.

The more bits you add to the search space more worthless amplification schemes look in comparison.

Re:Ok, so the problems here are:

[WaffleMonster]

1) Using SHA-1 in this day and age; and

There is nothing wrong with use of SHA-1 in this context based on publically available information about shortcomings of SHA-1.

And what is the problem with that?

[gweihir]

SHA1 is not broken for this use. If the password is weak, you could brute-force it, sure. But then the user already has a problem. If the password is strong, then this is perfectly secure. Of course, using Argon 2 would be better, bit if the password is really weak, that can only do so much to make it more secure.

Re:Tinfoil suspect level 10000

[arglebargle_xiv]

They would have fixed it years, but they were all occupied making Firefox look like a crap copy of Chrome and adding "features" no-one ever asked for or wanted.

Re:Ok, so the problems here are:

[viperidaenz]

In this context, the SHA-1 hash only has one iteration.
In 2010, it only cost $2.10 to crack a 6 char password in an EC2 instance.
https://www.geek.com/news/rese...
Since then hardware has become much faster. Today's GPU's can do several billion hashes per second.
There have also been more advances made in brute forcing SHA-1
https://nakedsecurity.sophos.c...

Re: Tinfoil suspect level 10000

[Carewolf]

Any malware might as well install a keylogger then. You are assuming a compromised machine to argue it is compromised by this.