Firefox master password seen as unsafe

Posted on Monday, March 19 2018 @ 11:31 CET by Thomas De Maesschalck

AdBlock Plus creator Wladimir Palant lashed out against Mozilla for the poor security of the master password of the Firefox password manager. The issue is that for the past nine years, Firefox has executed just a single iteration of SHA-1 to hash the master password with a random salt to create the encryption key for the password database. Given the advances in computing power, this makes the encryption very susceptible to brute force attacks:

"The problem here is: GPUs are extremely good at calculating SHA-1 hashes. Judging by the numbers from this article, a single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second. This article estimates that the average password is merely 40 bits strong, and that estimate is already higher than some of the others. In order to guess a 40 bit password you will need to test 239 guesses on average. If you do the math, cracking a password will take merely a minute on average then."

Palant suggests Mozilla should use at least 100,000 iterations to beef up the security of Firefox.

Via: Neowin

About the Author

Thomas De Maesschalck

Thomas has been messing with computer since early childhood and firmly believes the Internet is the best thing since sliced bread. Enjoys playing with new tech, is fascinated by science, and passionate about financial markets. When not behind a computer, he can be found with running shoes on or lifting heavy weights in the weight room.

Loading Comments

Share this story!