Firefox's 'master password' system can be easily bypassed using brute force
If you're a Firefox user, it's highly possible that you use the browser to store your login usernames and passwords for the sake of ease. Supposing you're a little security conscious, you may well have enabled the 'master password' function to prevent unauthorized access to your password database.
Well, there's a little bad news. It's nowhere near as secure as you may have thought. Wladimir Palant -- the guy behind the AdBlock Plus extension -- found that the system, which is used by both Firefox and Thunderbird, can be very easily brute-forced, leaving passwords vulnerable to malware and hackers.
Mozilla explains that: "After you've set a master password, it needs to be entered the first time you remember a new password or remove passwords and each time you show your passwords, for each Firefox session." Sadly, it could be all too easy for someone to force their way by this simple obstacle.
In a blog post explaining his findings, Palant says:
When I looked into the source code, I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here.
The problem is neatly summed up by Bleeping Computer:
The flag Palant is referring to is the fact that the SHA-1 function has an iteration count of 1, meaning it's applied just once, while industry practices regard 10,000 as a solid minimum for this value, while applications like LastPass use values of 100,000.
This low iteration count makes it incredibly easy for an attacker to brute-force the master password and later decrypt the encrypted passwords stored inside the Firefox or Thunderbird databases.
What's particularly interesting -- and concerning -- is that the problem is not a new one. Far from it. It's been around for no less than nine years, as this bug report shows. Posting on the discussion thread beneath the report, Palant says:
9 years later I looked the same topic without being aware of this discussion and was shocked to see a single SHA1 iteration being used to hash passwords. This has been highly discouraged for a while already, see http://cynosureprime.blogspot.de/2017/08/320-million-hashes-exposed.html for example. A single GTX 1080 GPU can calculate 8.5 billion SHA1 hashes per second. With humans choosing passwords that on average have merely 40 bits of entropy (see http://research.microsoft.com/pubs/74164/www2007.pdf) the average password can be guessed in a minute. I'm sure that Mozilla can do better. Any plans to address this? At the very least, PBKDF2 should be used with an appropriate number of iterations (at least 100k, more is better). Algorithms like bcrypt or scrypt are more resistant to bruteforcing but these aren't implemented by NSS yet.