Firefox does a poor job at securing stored passwords, a developer has claimed. For the past nine years, Mozilla has been using an insecure encryption mechanism for its "master password" feature. This master password is used to encrypt each password string that the user saves in Firefox and Thunderbird.
While this feature was previously applauded by security experts since most browsers used to store passwords in cleartext back then, it appears the encryption scheme used by Mozilla's master password feature is weak and can be brute forced by attackers.
Wladimir Palant, who is author of the AdBlock Plus extension, claims (via BP) that the password manager in Firefox can spill out passwords in less than a minute. The problem lies in how the manager converts a password into an encryption key using SHA-1 hashing to a string consisting of a random salt and the actual master password.
"Anybody who ever designed a login function on a website will likely see the red flag here," Palant said.
In this implementation, SHA-1 function has an iteration count of 1, which means it is applied only once. To consider how insecure this is, compare it with industry practice that recommends 10,000 as a minimum. Applications like LastPass go to over 100,000 iterations. This enables attackers to brute force master password and decrypt the stored encrypted passwords, which could take just a minute considering the latest GPU advancements.
Nine years since this issue has been reported to Firefox
It appears Palant isn't the first one to learn about the issue. The bug was first reported to Mozilla over nine years ago. Even that report refers to the modest value of 1,000 iterations a 10 years old recommendation, which means Mozilla is some two decades behind. Until the company responds to these concerns, it is advisable to choose a long and complex password. You can also choose to uncheck "Remember logins and passwords for websites" to avoid the browser storing login information for you.
It is likely that Firefox will fix these issues with their upcoming password manager, Lockbox, that is scheduled to arrive soon. Experts also advise not to trust browser password managers and opt for stronger solutions like LastPass and KeePass.
- We have written to Mozilla for a confirmation and comment on these security concerns.