Firefox's Password Manager has a flaw, but it will be fixed

Martin Brinkmann
Mar 19, 2018
Firefox
|
21

You may save passwords in the Mozilla Firefox web browser; the functionality is enabled by default, and you are prompted to do so when Firefox recognizes that you typed a username and password to sign in.

Firefox users may enable a master password to protect the passwords with encryption so that local actors may not just access the password database. You control password storage on about:preferences#privacy.

If you don't want Firefox to save passwords, you just uncheck "Remember logins and passwords for websites" and that is that. To set up a master password, check the box "use a master password" and follow the wizard to make use of encryption to save your passwords.

firefox master password

Adblock Plus mastermind Wladimir Palant analyzed Firefox's master password code recently and discovered that the master password implementation in Firefox and other products that share code with Firefox such as Thunderbird, has a weakness.

However, when I looked into the source code, I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here.

While Firefox's implementation is speedy, it at the same time makes brute forcing the master password speedy as well. Palant suggests that attackers could compute up to 8.5 billion SHA-1 hashes per second using a single Nvidia GTX 1080 video card and that it would take about a minute to crack average master passwords because of that.

While stronger passwords would extend the time it takes to attack the master password, attackers with enough time or resources would eventually be able to crack most master passwords that are in use.

The master password does protect against unsophisticated attempts to access the password database, however.

A bug was added to Mozilla's Bugzilla website nine years ago that highlighted the issue. Justin Dolske's suggestion back then was to increase the iteration count to increase the time it takes to run brute force attacks against the master password of Firefox.

A higher iteration count would make this more resistant to brute forcing (by increasing the cost of testing password), the PKCS#5 spec suggests a "modest value" of 1000 iterations. And that was 10 years ago. :)

Palant posted a message to the bug which revived it from limbo. Several Mozilla employees and developers replied, and it looks as if the issue will be handled after all.

Robert Relyea suggested to change the iteration count to address the issue. This would improve the security of the master password without affecting stored passwords in the database.

Mozilla launched an alpha of Lockbox, a new password manager for Firefox, recently. The organization released the alpha as a browser extension for testing purposes but Lockbox could replace the default password manager of the Firefox browser eventually.

One core difference between the current password manager of Firefox and Lockbox is the reliance on a Firefox account of the latter.

Closing Words

So, what should you do if you use Firefox's default password manager and have set up a master password? Most Firefox users probably don't have to worry about the issue as they won't encounter situations where someone will brute force the master password.

Those concerned about the issue may increase the length of the master password or switch to a different password manager for the meantime.

My personal favorite is KeePass, a desktop password manager, but you can use online solutions such as LastPass as well if you need easier syncing.

Now You: Do you use Firefox's password manager? (via Bleeping Computer)

Related articles

Summary
Firefox's Password Manager has a flaw, but it will be fixed
Article Name
Firefox's Password Manager has a flaw, but it will be fixed
Description
Adblock Plus mastermind Wladimir Palant analyzed Firefox's master password code recently and discovered that the master password implementation in Firefox and other products that share code with Firefox such as Thunderbird, has a weakness.
Author
Publisher
Ghacks Technology News
Logo
Advertisement

Tutorials & Tips


Previous Post: «
Next Post: «

Comments

  1. BabyWagon said on March 20, 2018 at 3:30 am
    Reply

    I don’t trust password manager built into browsers, Chrome, Firefox.
    WIth too many password and accounts, so I had to choose a password manager. KeePass is a little bit complicated to me and its concept “open-source” is less known to averaged users like me. So I just ran for more easy-to-use one, or good-looking one probably. Cyclonis Password Manager was recommended by a friend. Free but no ads, a little bit wired but it passed the antimalware and antivirus scan.

  2. Jessica said on March 19, 2018 at 7:43 pm
    Reply

    Lockbox is not planned to replace the current password manager. As to the master password, you shouldn’t use it because it has always been broken and is the feature that will eventually be replaced by something more useful in the future.

    1. Rick A. said on March 22, 2018 at 4:38 am
      Reply

      @Jessica – How has the Firefox Master Password always been broken? Any links you could provide please? i have never heard about it being broken and would like to know about it.

      Thanks in advance.

  3. John Fenderson said on March 19, 2018 at 4:29 pm
    Reply

    “Do you use Firefox’s password manager?”

    No. I don’t really trust any password manager built into any browser. But I wouldn’t use it even if I did, because I use multiple browsers in multiple places.

  4. vosie said on March 19, 2018 at 3:17 pm
    Reply

    “One core difference between the current password manager of Firefox and Lockbox is the reliance on a Firefox account of the latter.”

    There is the point. They want to force people to be dependent on the internet and a Firefox account. In other words, they replace the real offline, standalone password manager to a third party dependent, pseudo password manager feature.

    It’s one more reason in the long list why people should stay with Firefox 52 ESR or use Waterfox.

  5. Bobby Phoenix said on March 19, 2018 at 1:37 pm
    Reply

    So if a person uses the password manager, but doesn’t use a master password, how does this affect the regular passwords?

    1. Tom Hawack said on March 19, 2018 at 9:52 pm
      Reply

      Without a master password regular passwords are accessible as they would be with a forced master password.
      There are many tools on the market, such as Nirsoft’s ‘PasswordFox’ (for Firefox) : try it with and without your regular passwords protected by a master password and you’ll see the difference : the tool won’t read your passwords in the latter case.

      1. Rick A. said on March 22, 2018 at 4:35 am
        Reply

        @Tom Hawack – What is the main purpose of the Nirsoft Password Fox? The only thing i can think of is if say your OS won’t boot and you wanna scan the Drive with PasswordFox to recover your passwords.

      2. justaned said on March 19, 2018 at 10:21 pm
        Reply

        Thank you Mr. Hawack; duly noted.

    2. justaned said on March 19, 2018 at 2:23 pm
      Reply

      This is my question as well. I use the inbuilt password manager for a few websites, but not for ANYTHING financial. If it’s linked to finances in any way, it’s only on paper (or neuron).

  6. Anonymous said on March 19, 2018 at 11:23 am
    Reply

    Sorry but IMO I’m not sure someone having betrayed the spirit of the “open source” should be called “mastermind”.

    1. Tom Hawack said on March 19, 2018 at 3:31 pm
      Reply

      Intelligence can serve the best and the worst. From there on some may believe that serving the best is the only way for intelligence to make itself higher even. Imagine God and Lucifer playing Chess.

      Whatever the support all my passwords are 16-32 characters, letters capital or not, digits, custom. It should make the offenders’ dedicated time slightly less minimal. This remains cyber-fiction for plain, humble home users who’d have to have a companion both curious and talented to really reconsider their password policy. Most are curious, only :=)

      1. Jessica said on March 19, 2018 at 7:40 pm
        Reply

        @Tom Hawack The only real password complexity rule that the latest standards state is a minimum of 8 characters, nothing else. Hopefully, this will put an end to arbitrary password requirements that are placebo at best and dangerously counterproductive at worst.

      2. Anonymous said on March 19, 2018 at 4:38 pm
        Reply

        I have no imagination on that subject, I just know that “God and Lucifer” need advertising to exist. “Acceptable ads” by default was the backdoor both waited for.

  7. Stefan said on March 19, 2018 at 10:31 am
    Reply

    I use my brain for passwords.

    1. Slav said on March 20, 2018 at 4:09 am
      Reply

      The worst password manager

  8. DaveyK said on March 19, 2018 at 9:22 am
    Reply

    I use Sticky Password. You only need to pay if you want the cloud-sync functionality, and it supports a *lot* of browsers, including native support for Pale Moon, Opera, etc as well as the usual FF, Chrome. etc.

    1. dark said on March 19, 2018 at 7:26 pm
      Reply

      Its not open source.

  9. Anon_Prime said on March 19, 2018 at 8:04 am
    Reply

    I use KeePassXC https://keepassxc.org/project/

    Even if my password database gets stolen or someone knows my master password they won’t be able to open it without the key file.

    1. Dave said on March 19, 2018 at 3:14 pm
      Reply

      Everything can be cracked.

      1. Anon_Prime said on March 20, 2018 at 3:53 am
        Reply

        True but at least it’s better and more secure than any built-in browser password manager.

Leave a Reply

Check the box to consent to your data being stored in line with the guidelines set out in our privacy policy

We love comments and welcome thoughtful and civilized discussion. Rudeness and personal attacks will not be tolerated. Please stay on-topic.
Please note that your comment may not appear immediately after you post it.