MozillaZine


Master Password encryption

User Help for Mozilla Firefox
ndebord

User avatar
 
Posts: 1122
Joined: December 7th, 2002, 9:53 am

Post Posted January 24th, 2022, 9:40 am

I know that in the past master password was Triple DES. Is it still the same?

TKs,

Nick
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome

tanstaafl
Moderator

User avatar
 
Posts: 49147
Joined: July 30th, 2003, 5:06 pm

Post Posted January 25th, 2022, 2:56 am

https://bugzilla.mozilla.org/show_bug.cgi?id=1562674
https://bugzilla.mozilla.org/show_bug.cgi?id=973759
https://bugzilla.mozilla.org/show_bug.cgi?id=524403
https://bugzilla.mozilla.org/show_bug.cgi?id=1562683

https://support.mozilla.org/en-US/questions/1249831

It sounds like if you use a master password the individual passwords are encrypted using DES-EDE3-CBC but the master password is encrypted using multiple iterations of SHA-1 (weak).

You might find the Firefox section of https://apr4h.github.io/2019-12-20-Harv ... edentials/ interesting. https://www.reddit.com/r/firefox/commen ... s_firefox/ mentions:

"While NSS switched to AES and more KDF iterations for the modern key4.db late 2019, Firefox hasn't followed for saved logins.

Maybe also because there's no NSS support in the legacy key3.db format or automatic upgrading from low iteration count and < 1% of Firefox users use a master password anyways.

While this work on the old NSS-integration seems to be currently on-hold or just slow after the initial changes and due to COVID-19, Firefox has recently gained OS-integration for password manager protection and plans to eventually use the various operating systems' secret storage mechanisms."

ndebord

User avatar
 
Posts: 1122
Joined: December 7th, 2002, 9:53 am

Post Posted January 25th, 2022, 8:35 am

tanstaafl wrote:https://bugzilla.mozilla.org/show_bug.cgi?id=1562674
https://bugzilla.mozilla.org/show_bug.cgi?id=973759
https://bugzilla.mozilla.org/show_bug.cgi?id=524403
https://bugzilla.mozilla.org/show_bug.cgi?id=1562683

https://support.mozilla.org/en-US/questions/1249831

It sounds like if you use a master password the individual passwords are encrypted using DES-EDE3-CBC but the master password is encrypted using multiple iterations of SHA-1 (weak).

You might find the Firefox section of https://apr4h.github.io/2019-12-20-Harv ... edentials/ interesting. https://www.reddit.com/r/firefox/commen ... s_firefox/ mentions:

"While NSS switched to AES and more KDF iterations for the modern key4.db late 2019, Firefox hasn't followed for saved logins.

Maybe also because there's no NSS support in the legacy key3.db format or automatic upgrading from low iteration count and < 1% of Firefox users use a master password anyways.

While this work on the old NSS-integration seems to be currently on-hold or just slow after the initial changes and due to COVID-19, Firefox has recently gained OS-integration for password manager protection and plans to eventually use the various operating systems' secret storage mechanisms."


tanstaafl,

Thanks, I wasn't aware of the details of master password encryption. I just started using it with Firefox. I was hoping they had switched to at the very least AES (like TwoFish better, but can't have everything).

Up until now, I have stayed with KeePass 1.39 and kept everything offline with that software. Will have to think about this. 3-DES was good, once upon a time.

Much thanks,

Nick
-N- Si vis pacem, para bellum
FrameWork, SeaMonkey(64-bit),Windows 10 Pro (X64- 21H2), WinPatrol, Malwarebytes & Panda Dome

Return to Firefox Support


Who is online

Users browsing this forum: Bing [Bot] and 6 guests