Master Password encryption

[ndebord]

I know that in the past master password was Triple DES. Is it still the same?

TKs,

Nick

[tanstaafl]

https://bugzilla.mozilla.org/show_bug.cgi?id=1562674
https://bugzilla.mozilla.org/show_bug.cgi?id=973759
https://bugzilla.mozilla.org/show_bug.cgi?id=524403
https://bugzilla.mozilla.org/show_bug.cgi?id=1562683

https://support.mozilla.org/en-US/questions/1249831

It sounds like if you use a master password the individual passwords are encrypted using DES-EDE3-CBC but the master password is encrypted using multiple iterations of SHA-1 (weak).

You might find the Firefox section of https://apr4h.github.io/2019-12-20-Harv ... edentials/ interesting. https://www.reddit.com/r/firefox/commen ... s_firefox/ mentions:

"While NSS switched to AES and more KDF iterations for the modern key4.db late 2019, Firefox hasn't followed for saved logins.

Maybe also because there's no NSS support in the legacy key3.db format or automatic upgrading from low iteration count and < 1% of Firefox users use a master password anyways.

While this work on the old NSS-integration seems to be currently on-hold or just slow after the initial changes and due to COVID-19, Firefox has recently gained OS-integration for password manager protection and plans to eventually use the various operating systems' secret storage mechanisms."

[ndebord]

https://bugzilla.mozilla.org/show_bug.cgi?id=1562674
https://bugzilla.mozilla.org/show_bug.cgi?id=973759
https://bugzilla.mozilla.org/show_bug.cgi?id=524403
https://bugzilla.mozilla.org/show_bug.cgi?id=1562683

https://support.mozilla.org/en-US/questions/1249831

It sounds like if you use a master password the individual passwords are encrypted using DES-EDE3-CBC but the master password is encrypted using multiple iterations of SHA-1 (weak).

You might find the Firefox section of https://apr4h.github.io/2019-12-20-Harv ... edentials/ interesting. https://www.reddit.com/r/firefox/commen ... s_firefox/ mentions:

"While NSS switched to AES and more KDF iterations for the modern key4.db late 2019, Firefox hasn't followed for saved logins.

Maybe also because there's no NSS support in the legacy key3.db format or automatic upgrading from low iteration count and < 1% of Firefox users use a master password anyways.

While this work on the old NSS-integration seems to be currently on-hold or just slow after the initial changes and due to COVID-19, Firefox has recently gained OS-integration for password manager protection and plans to eventually use the various operating systems' secret storage mechanisms."

tanstaafl,

Thanks, I wasn't aware of the details of master password encryption. I just started using it with Firefox. I was hoping they had switched to at the very least AES (like TwoFish better, but can't have everything).

Up until now, I have stayed with KeePass 1.39 and kept everything offline with that software. Will have to think about this. 3-DES was good, once upon a time.

Much thanks,

Nick