I know that in the past master password was Triple DES. Is it still the same?
TKs,
Nick
Master Password encryption
- ndebord
- Posts: 1122
- Joined: December 7th, 2002, 9:53 am
Master Password encryption
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
- tanstaafl
- Moderator
- Posts: 49647
- Joined: July 30th, 2003, 5:06 pm
Re: Master Password encryption
https://bugzilla.mozilla.org/show_bug.cgi?id=1562674
https://bugzilla.mozilla.org/show_bug.cgi?id=973759
https://bugzilla.mozilla.org/show_bug.cgi?id=524403
https://bugzilla.mozilla.org/show_bug.cgi?id=1562683
https://support.mozilla.org/en-US/questions/1249831
It sounds like if you use a master password the individual passwords are encrypted using DES-EDE3-CBC but the master password is encrypted using multiple iterations of SHA-1 (weak).
You might find the Firefox section of https://apr4h.github.io/2019-12-20-Harv ... edentials/ interesting. https://www.reddit.com/r/firefox/commen ... s_firefox/ mentions:
"While NSS switched to AES and more KDF iterations for the modern key4.db late 2019, Firefox hasn't followed for saved logins.
Maybe also because there's no NSS support in the legacy key3.db format or automatic upgrading from low iteration count and < 1% of Firefox users use a master password anyways.
While this work on the old NSS-integration seems to be currently on-hold or just slow after the initial changes and due to COVID-19, Firefox has recently gained OS-integration for password manager protection and plans to eventually use the various operating systems' secret storage mechanisms."
https://bugzilla.mozilla.org/show_bug.cgi?id=973759
https://bugzilla.mozilla.org/show_bug.cgi?id=524403
https://bugzilla.mozilla.org/show_bug.cgi?id=1562683
https://support.mozilla.org/en-US/questions/1249831
It sounds like if you use a master password the individual passwords are encrypted using DES-EDE3-CBC but the master password is encrypted using multiple iterations of SHA-1 (weak).
You might find the Firefox section of https://apr4h.github.io/2019-12-20-Harv ... edentials/ interesting. https://www.reddit.com/r/firefox/commen ... s_firefox/ mentions:
"While NSS switched to AES and more KDF iterations for the modern key4.db late 2019, Firefox hasn't followed for saved logins.
Maybe also because there's no NSS support in the legacy key3.db format or automatic upgrading from low iteration count and < 1% of Firefox users use a master password anyways.
While this work on the old NSS-integration seems to be currently on-hold or just slow after the initial changes and due to COVID-19, Firefox has recently gained OS-integration for password manager protection and plans to eventually use the various operating systems' secret storage mechanisms."
- ndebord
- Posts: 1122
- Joined: December 7th, 2002, 9:53 am
Re: Master Password encryption
tanstaafl,tanstaafl wrote:https://bugzilla.mozilla.org/show_bug.cgi?id=1562674
https://bugzilla.mozilla.org/show_bug.cgi?id=973759
https://bugzilla.mozilla.org/show_bug.cgi?id=524403
https://bugzilla.mozilla.org/show_bug.cgi?id=1562683
https://support.mozilla.org/en-US/questions/1249831
It sounds like if you use a master password the individual passwords are encrypted using DES-EDE3-CBC but the master password is encrypted using multiple iterations of SHA-1 (weak).
You might find the Firefox section of https://apr4h.github.io/2019-12-20-Harv ... edentials/ interesting. https://www.reddit.com/r/firefox/commen ... s_firefox/ mentions:
"While NSS switched to AES and more KDF iterations for the modern key4.db late 2019, Firefox hasn't followed for saved logins.
Maybe also because there's no NSS support in the legacy key3.db format or automatic upgrading from low iteration count and < 1% of Firefox users use a master password anyways.
While this work on the old NSS-integration seems to be currently on-hold or just slow after the initial changes and due to COVID-19, Firefox has recently gained OS-integration for password manager protection and plans to eventually use the various operating systems' secret storage mechanisms."
Thanks, I wasn't aware of the details of master password encryption. I just started using it with Firefox. I was hoping they had switched to at the very least AES (like TwoFish better, but can't have everything).
Up until now, I have stayed with KeePass 1.39 and kept everything offline with that software. Will have to think about this. 3-DES was good, once upon a time.
Much thanks,
Nick
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome