It is pointed out that "Master Password" of Firefox and Thunderbird can be broken in one minute



For Mozilla web browser Firefox and mail client Thunderbird, for the purpose of improving security, "Master password"There is a function called. This function restricts the operation of software unless you input the individual password "Master password" which was previously set for each software account. However, BleepingComputer.com notes that some experts are wondering about improving security with this master password.

Wladimir Palant's notes: Master password in Firefox or Thunderbird? Do not bother!
https://palant.de/2018/03/10/master-password-in-firefox-or-thunderbird-do-not-bother

Firefox Master Password System Has Been Poorly Secured for the Past 9 Years
https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/

It is the software developer and Firefox add-on that doubt the security by the master passwordAdblock PlusI am also the author ofWladimir PalantIt is Mr. In both software, when setting the master password, the character string is encrypted so as not to be easily read, and it is created and saved in the file "logins.json". However, when Palant analyzed the source code, for encryption,SHA-1You can see that the algorithm is used. Function part to convert to encryption with SHA - 1sftkdb_passwordToKey ()There is a weak point that the security of encryption is very low by back calculating this part. Therefore, we insist that safety will not increase much if using the master password.


In general, it is said that encryption using SHA - 1 of the master password is not secure. However, if you encounter this weak point, encryption of SHA-1 will be less intense, especiallyBrute force attackMr. Palant points out that it is weak to the analysis of. GPU used for gaming PCNVIDIA GTX 1080If you analyze passwords on a PC equipped with it, we assert that it is possible to find the correct master password with just "1 minute" on average.

And Palant said Mr. Palant did not point out this vulnerability of security. The weak point of both software is that encryption is weak against Mozilla developed by Justin Dolske 9 years agowarningdoing. However, Palant claimed that Mozilla left this weak point for 9 years.

BySarah Joy

IT-related information siteBleepingComputer.comApart from pointing out this weakness, Mozilla engineers on March 10, 2018 add on Firefox master password security add-onLockboxI am publishing it on a trial basis. However, Lockbox will only work with Firefox 57 or higher.


According to BleepingComputer.com, although it is better to use it rather than to use the master password, if you do not want to leave your password from Firefox and Thunderbird, do not save the password locally on both software, We recommend using party-made password management software.

in Software,   Security, Posted by darkhorse_log