Master password in Firefox is weak
Adblock Plus creator Wladimir Palant warns that the Firefox and Thunderbird password managers do not provide much protection against hacking.
Palant wrote that when he looked at the source code of the password managers, he found the sftkdb_passwordToKey() function.
This function converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and a user’s master password.
“Anybody who ever designed a login function on a website will likely see the red flag here,” said Palant.
He said that SHA-1 hashes are not secure, and that “out of the roughly 320 million hashes, we were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate”.
“The problem here is: GPUs are extremely good at calculating SHA-1 hashes.”
“Judging by the numbers from this article, a single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second.”
Now read: Firefox 59 “Quantum” released
Loading ...