Mozilla Master Password Solution Not Very Secure

[Guest_Jim_*]

Adblock Plus is a fairly popular extension for browsers, allowing users to easily block various kinds of content as they browse the web. Wladimit Palant created this extension because he was interested in Firefox extensions, but he has interests beyond it, including web application security. Recently he looked into how Mozilla, the company behind both the Firefox browser and Thunderbird email client, implements its master password system for securing your various log-in passwords. In a word, he was very disappointed in what he found.

In these two Mozilla products the master password is used to protect your various saved passwords, both by hiding them from anyone looking at your profile and by serving as the basis for an encryption key. Without a master password, the passwords are effectively stored in "plain text," because while the passwords themselves are encrypted, the key is stored without any protection. Going through the source code for the master password, Palant discovered the function to create the encryption key does so by salting the password and then hashing it with SHA-1 once. As he points out in his post, an NVIDIA GTX 1080 can work through 8.5 billion SHA-1 hashes in a second, so cracking this key would take, on average, one minute, based on a password strength he believes is an overestimation.

By using more hashing iterations, it would be possible to make such a brute force attack more difficult, but Palant feels a strong algorithm would be a better solution. Unfortunately he doubts if it will be implemented because while he only discovered this recently, the issue was first reported nine years ago and has been unfixed in all this time.

If you are thinking other browsers would be better, this is not necessarily true, nor is this the only security issue Firefox suffers from. While looking at Palant's website about the master password issue, I also read a more recent post about the syncing tools Firefox Sync and Chrome Sync, neither of which is very secure. For Firefox Sync, the process for securing the information is actually pretty good, but it is done on the server. The client uses a different system that runs the hashing algorithm only 1000 times, which a GTX 1080 could crack in five days, on average. While this password is not stored on the server, there is the potential for an attacker to intercept it.

I am not a security expert, but Chrome Sync looks to be in worse shape. First, setting your own passphrase to protect your synced data is an option that is not even presented to you when installing. This means Google would set the key, potentially allowing it to have access. Even if you do set your own passphrase (under Settings – Sync – Encryption Options, if you were curious), it could be broken in just two days, on average, using a GTX 1080. It is even worse than that as the salting algorithm used is constant, which means the same password will produce the same key for any Chrome user. In just days, someone with a single GTX 1080 could have a key to access the information of many users, but someone with more powerful hardware could do the job even faster.

Suddenly I feel like a touch of paranoia is a good thing.

Source: Wladimir Palant's notes [1] and [2]

Back to original news post