"This feature satisfied the simple need to hide passwords from other family members on a shared computer," a Mozilla spokesperson told SearchSecurity. The initial report noted that simply increasing the number of iterations of the SHA-1 hash to 1,000 would help improve security more substantive activity in the bug record did not start until Palant noted his discovery on March 10, writing "nine years later I looked the same topic without being aware of this discussion and was shocked to see a single SHA-1 iteration being used to hash passwords."Īccording to Mozilla, the feature was never intended to be secure from all types of attack. The record of Mozilla developers' response to the Firefox bug, first recorded on Bugzilla in Oct. For the average password with approximately 40 bits of randomness, Palant suggested that an attacker with one Nvidia GTX 1080 graphics card could recover the average password in about one minute. Anybody who ever designed a login function on a website will likely see the red flag here."Īs Palant notes, the Firefox bug leaves master passwords vulnerable because SHA-1 hashes have been proved too weak for security use since at least 2005 also, the master password is hashed only one time with a random salt value. "However, when I looked into the source code," Palant wrote in a blog post, "I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Quite remarkably, I haven't seen any articles stating the opposite."
While he noted that not using a master password is "equivalent to storing them in plain text," he added that "it is commonly believed that with a master password your data is safe.
While investigating how Mozilla's browser code handled the conversion of a master password into an encryption key, Palant sought to determine how well using a master password key with Firefox actually protected a user's stored passwords. Palant is the developer of Adblock Plus, the content filtering and ad blocking browser extension.
A SHA-1 hash, even when applied with a random salt value as Firefox does with the master password, can be brute forced in as little as a minute, according to Wladimir Palant, who discovered that the Firefox bug had fallen through the cracks for nearly nine years.
0 kommentar(er)
