Wladimir Palant, the developer behind AdBlock Plus, has taken Mozilla to task over the way Firefox hashes master passwords to generate the encryption key used to protect stored passwords.
While a growing number of people are turning to dedicated password manager solutions such as LastPass, 1Password, and Dashlane, some still opt to use the built-in functionality provided by their web browsers. Of course, there is a matter of trust involved when using any such service or software to store your sensitive credentials as well as how swift a vendor’s response ends up being if a critical flaw is discovered.
Unfortunately for Mozilla, it appears that its Firefox browser has for nine years only executed a single iteration of SHA-1 in order to hash the master password with a random salt in order to produce an encryption key for the password database. According to some analysis by Wladimir Palant, author of AdBlock Plus, « at least 100,000 iterations » would be far more effective in diminishing the effectiveness of brute force attacks. To lend further context, Palant also offered up some calculations:
Of course, it is worth noting that the Microsoft article cited by Palant is over 11 years old, so whether or not the average password remains at 40 bits (which is the equivalent of a five character ASCII text string) may well be up for debate. When queried about his provocative suggestion that people « do not bother » using a master password in Firefox, he qualified his remark and said:
At present, users have no control over the number of SHA-1 rounds applied to the master password and salt, however, Robert Relyea in the thread has suggested updating Firefox to use « 10000 (10K) in debug builds and 1000000 (1M) in optimized builds. » Aside from leveraging Mozilla’s experimental, standalone password manager, Lockbox, which relies on a Mozilla Account, the company has yet to provide a response and solution to the issue. In the meantime, users may need to consider their password management arrangements in light of the situation.
Source: Wladimir Palant via Bleeping Computer