Login to your account

Username *
Password *
Remember Me

Create an account

Fields marked with an asterisk (*) are required.
Name *
Username *
Password *
Verify password *
Email *
Verify email *
Captcha *
Reload Captcha
January 17, 2019
Latest Cyber News, Help & Advice




EU e-Privacy Directive

This website uses cookies to manage authentication, navigation, and other functions. By using our website, you agree that we can place these types of cookies on your device.

View e-Privacy Directive Documents

You have declined cookies. This decision can be reversed.

Firefox's Password Manager has a flaw, but it'll be fixed

Written by  Mar 19, 2018

You may save passwords in the Mozilla Firefox web browser; the functionality is enabled by default, and you are prompted to do so when Firefox recognizes that you typed a username and password to sign in.

Firefox users may enable a master password to protect the passwords with encryption so that local actors may not just access the password database. You control password storage on about:preferences#privacy.

If you don't want Firefox to save passwords, you just uncheck "Remember logins and passwords for websites" and that is that. To set up a master password, check the box "use a master password" and follow the wizard to make use of encryption to save your passwords.

firefox master password

Adblock Plus mastermind Wladimir Palant analyzed Firefox's master password code recently and discovered that the master password implementation in Firefox and other products that share code with Firefox such as Thunderbird, has a weakness.

However, when I looked into the source code, I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here.

While Firefox's implementation is speedy, it at the same time makes brute forcing the master password speedy as well. Palant suggests that attackers could compute up to 8.5 billion SHA-1 hashes per second using a single Nvidia GTX 1080 video card and that it would take about a minute to crack average master passwords because of that.

While stronger passwords would extend the time it takes to attack the master password, attackers with enough time or resources would eventually be able to crack most master passwords that are in use.

The master password does protect against unsophisticated attempts to access the password database, however.

A bug was added to Mozilla's Bugzilla website nine years ago that highlighted the issue. Justin Dolske's suggestion back then was to increase the iteration count to increase the time it takes to run brute force attacks against the master password of Firefox.

A higher iteration count would make this more resistant to brute forcing (by increasing the cost of testing password), the PKCS#5 spec suggests a "modest value" of 1000 iterations. And that was 10 years ago. :)

Palant posted a message to the bug which revived it from limbo. Several Mozilla employees and developers replied, and it looks as if the issue will be handled after all.

Speed up your Mac now!

Robert Relyea suggested to change the iteration count to address the issue. This would improve the security of the master password without affecting stored passwords in the database.

Mozilla launched an alpha of Lockbox, a new password manager for Firefox, recently. The organization released the alpha as a browser extension for testing purposes but Lockbox could replace the default password manager of the Firefox browser eventually.

One core difference between the current password manager of Firefox and Lockbox is the reliance on a Firefox account of the latter.

Closing Words

So, what should you do if you use Firefox's default password manager and have set up a master password? Most Firefox users probably don't have to worry about the issue as they won't encounter situations where someone will brute force the master password.

Those concerned about the issue may increase the length of the master password or switch to a different password manager for the meantime.

My personal favorite is KeePass, a desktop password manager, but you can use online solutions such as LastPass as well if you need easier syncing.

Leave a comment

Make sure you enter all the required information, indicated by an asterisk (*). HTML code is not allowed.

Top News

Error: No articles to display


  1. Popular
  2. Trending


« January 2019 »
Mon Tue Wed Thu Fri Sat Sun
  1 2 3 4 5 6
7 8 9 10 11 12 13
14 15 16 17 18 19 20
21 22 23 24 25 26 27
28 29 30 31