Connect with us

Hi, what are you looking for?

SecurityWeekSecurityWeek

Identity & Access

Firefox Fails at Keeping Passwords Secure, Developer Claims

Recovering Encrypted Firefox Passwords via Brute Force Attacks is Easy, Developer Says

Recovering Encrypted Firefox Passwords via Brute Force Attacks is Easy, Developer Says

Firefox does a poor job at securing stored passwords even if the user has set up a master password, a software developer claims.

According to Wladimir Palant, author of the popular Adblock Plus extension, the password manager in Firefox and Thunderbird needs some major improvements in terms of security. The manager can spill out passwords in less than a minute, he says.

The issue, Palant claims, resides in the manner in which the manager converts a password into an encryption key. The operation is performed by the sftkdb_passwordToKey() function, which applies SHA-1 hashing to a string consisting of a random salt and the actual master password.

In the current implementation, the SHA-1 function has a very low iteration count of 1, meaning that it falls way behind what’s considered a minimum value in practice, namely 10,000. In fact, an iteration count of at least 1,000 was considered “modest” decades ago.

Because of that, recovering encrypted passwords via brute force attacks is not difficult at all, Palant says. In fact, he underlines that graphics processing units (GPUs) are great at calculating SHA-1 hashes. With some of them capable of calculating billions of SHA-1 hashes per second, it would not take more than a minute to crack the passwords encrypted and stored in Firefox.

This NSS bug was first reported about nine years ago, but remains unpatched. And it wouldn’t even be that difficult to address the issue, the developer says.

“NSS library implements PBKDF2 algorithm which would slow down bruteforcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2 but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years,” Palant notes.

Advertisement. Scroll to continue reading.

Robert Relyea, who has worked for over 20 years on NSS, notes that, while the iteration count could be increased, it would not affect the security of old databases, which would remain readable. Only changing the master password (even to the same password) for them would also increase the iteration count.

The issue was thought resolved in PKCS #12, but it wasn’t fixed for the NSS database password (Firefox Master Password) too. Thus, Relyea reopened the bug, so it could be properly addressed.

Mozilla is also working on a new password manager component for Firefox. Dubbed Lockbox and available as an extension, it might not solve the issue either, Palant says, pointing out that it relies on Firefox Accounts, which could prevent wide adoption.

Even if this issue still exists in Firefox, setting up a master password for Firefox’ manager is still better than using none. Of course, using a password manager that isn’t impacted by such bugs is even better, although cracking firms would say that the security of such tools is debatable.

Related: Overall Security of Password Managers Debatable, Cracking Firm Says

Related: Firefox 63 to Distrust All Symantec Root Certificates

Written By

Ionut Arghire is an international correspondent for SecurityWeek.

Click to comment

Trending

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

Understand how to go beyond effectively communicating new security strategies and recommendations.

Register

Join us for an in depth exploration of the critical nature of software and vendor supply chain security issues with a focus on understanding how attacks against identity infrastructure come with major cascading effects.

Register

Expert Insights

Related Content

Identity & Access

Zero trust is not a replacement for identity and access management (IAM), but is the extension of IAM principles from people to everyone and...

CISO Strategy

Okta is blaming the recent hack of its support system on an employee who logged into a personal Google account on a company-managed laptop.

Compliance

Government agencies in the United States have made progress in the implementation of the DMARC standard in response to a Department of Homeland Security...

Email Security

Many Fortune 500, FTSE 100 and ASX 100 companies have failed to properly implement the DMARC standard, exposing their customers and partners to phishing...

Funding/M&A

The private equity firm merges the newly acquired ForgeRock with Ping Identity, combining two of the biggest names in enterprise IAM market.

Identity & Access

Hackers rarely hack in anymore. They log in using stolen, weak, default, or otherwise compromised credentials. That’s why it’s so critical to break the...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...

Application Security

Fortinet on Monday issued an emergency patch to cover a severe vulnerability in its FortiOS SSL-VPN product, warning that hackers have already exploited the...