Firefox
Image Courtesy: Mozilla.com

With a desktop market share of 11.5%, Mozilla Firefox is nowhere near Google Chrome which has a market share of 67.45% but Firefox is the second most popular Desktop browser. This, of course, means that a lot of people use Firefox as their default browser. Those people will naturally save their passwords in Firefox hoping that their passwords are kept safe from the reach of anyone else.

But it has been found that Firefox has been protecting passwords of its users using a less powerful and older scheme which can be hacked by newer processors within a minute. The issue has been found out by Wladimir Palant who is the author of AdBlock Plus extension. Mozilla’s Firefox and Thunderbird has been using the Secure Hash Algorithm 1 for the past 9 years to keep the Master Password safe. Master Passwords are provided as a second layer to security but SHA1 is more prone to attacks.

The question about using a less secure algorithm like SHA1 has been posed 9 years ago when it was revealed but no action was taken then.

Mozilla Password Mnager
Image Courtesy: Mozilla Support

Palant after looking into the source code said: “I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here.”

In response to the security issue, Mozilla said that it will be fixed once they roll out Lockbox which is their new password manager tool. There is still no time frame as to when this will launch. Until then, users of Firefox can implement a more complicated Master password for improving their chances of not getting a security attack.

  • Jasmin452

    Lucky I used LastPass before, and use Cyclonis Password Manager now.