Firefox Users – Master Password at Risk!

Windows Articles

How to Backup your call and SMS history in Android

Many times we find ourselves in the situation of having to change our phone, for different reasons, and one of the questions...

Install and configure Apache Guacamole on Debian 10

Hello, friends in this post, you will learn how to install and configure Apache Guacamole in Debian 10. It will be a...

Ubuntu 20.10 available

The new version of Ubuntu is now available, under the code name "groovy gorilla". Ubuntu 20.10 focuses on improving and refining the...

Monitoring Ubuntu 20.04 with Stacer

Normally if we use Linux on a production server, it is important to monitor it. On the other hand, in everyday use, many users...

How to get the Android 11 Notification Panel

It's no secret that even though Android is the most widely used mobile operating system. Not always our device has the latest...
Mel Khamlichi
Mel Khamlichihttp://www.osradar.com
Founder of Osradar, from Amsterdam Netherlands

Firefox is one of the best web browsers of the entire internet world, right? It’s stable, fast and awesome with thousands of extensions in the store. In every case, Firefox competes with all other web browsers and have earned a good reputation. However, there’s a security gap found recently in the browser that puts users at risk.

The risk

If you’re a Firefox user, you already know that there’s a feature named “Master Password”. The browser will remember all the passwords of every login credentials; you have to unlock them only using the master password. This is a really time-saving and powerful feature. Unfortunately, due to poor design, the system is highly vulnerable.

The same feature is available in both Firefox and Thunderbird. Security experts lauded the attempt as until that point, Firefox saved the passwords in the cleartext format, leaving them vulnerable to anyone having physical access to the PC. Now, the author of Adblock Plus – Wladimir Palant, says that the master password system uses a weak encryption method that’s highly vulnerable to brute-force attacks.

The leakage

Palant looked into the source code and found the function that converts the passwords into SHA-1 string along with some random salt and the actual master password.

In this process, the count of iteration is a big factor. The higher the count, the better protection. In the industrial area, the accepted value is 10,000 whereas other powerful apps like LastPass use the value 100,000. In this factor, the count for Firefox is extremely LOW – only 1!

This low iteration count allows a hacker to easily break down the master password by using the brute-force attack and use it to decrypt other stored passwords from the database of Firefox and Thunderbird. Palant also points out to present powerful GPUs that can brute-force simplistic passwords within a minute. Thus, the “Master Password” feature isn’t worth at all.

This issue was reported about 9 years ago by Justin Dolske when the “Master Password” feature was just launched. Despite the report, Mozilla didn’t take any official action for years! Recently, Palant received the first official Mozilla response regarding the case – they’re developing a better tool, currently codenamed “Lockbox” and it’s available as an extension. Once it’s fully developed, it’s supposed to solve the issue.

If you’re using a master password, you don’t need to worry right now. Unless Mozilla fixes things permanently, use a longer and more complex password. This way, the vulnerability can be mitigated to the lowest level. If you’re not using, use master password as it encrypts the other passwords instead of plain text.

More articles

LEAVE A REPLY

Please enter your comment!
Please enter your name here

Latest article

How to Backup your call and SMS history in Android

Many times we find ourselves in the situation of having to change our phone, for different reasons, and one of the questions...

Install and configure Apache Guacamole on Debian 10

Hello, friends in this post, you will learn how to install and configure Apache Guacamole in Debian 10. It will be a...

Ubuntu 20.10 available

The new version of Ubuntu is now available, under the code name "groovy gorilla". Ubuntu 20.10 focuses on improving and refining the...

Monitoring Ubuntu 20.04 with Stacer

Normally if we use Linux on a production server, it is important to monitor it. On the other hand, in everyday use, many users...

How to get the Android 11 Notification Panel

It's no secret that even though Android is the most widely used mobile operating system. Not always our device has the latest...
x