‘Firefox uses flawed method to encrypt user passwords’

According to developer Wladimir Palant, the Firefox browser, along with email client Thunderbird, uses a flawed method of protecting user passwords. This problem has been around for nine years.

Palant, developer at Adblock Plus, writes that Firefox users can store their account passwords in Firefox using a built-in password manager. These can be protected with a master password, or a master password. Palant writes in his blog post, “It is well known that storing passwords without a master password is essentially the same as storing them unencrypted.” The master password is used to encrypt the saved passwords. Firefox does that in an insecure way, according to Palant.

He examined the source code and found that the master password is converted into an encryption key for the other passwords through a single iteration with sha-1 and a salt. The problem is that this method offers little protection against an attacker who wants to bruteforce the master password and thus gain access to the other passwords. This happens quickly if the user has chosen a weak master password. RaiderSec has previously published an analysis of Firefox’s method of securing local passwords.

The developer notes that the flaw was reported in Mozilla’s bug tracker nine years ago, but no action has been taken since then. Following his own comment, the discussion has been revived and Mozilla developers are working on it. It is now suggested that there will eventually be a higher iteration number. Palant himself mentions as a solution to use a different algorithm for generating the key, such as pbkdf2 or argon2. Bleeping Computer, noting Palant’s blog post, reports that in the meantime, users can choose a stronger master password or use a third-party password manager.

Master Password in Firefox