A lot of people use the save password feature in browsers so that they don’t have to be bothered to enter their passwords on websites they visit often. Firefox offered users the option of implementing a master password, so that the user would need to enter that password in order to use their bank of saved passwords.
What was just brought to light is that Firefox uses a very low standard of encryption that can be cracked in just a few seconds if the hash is found. SHA-1 hashes were used, which are very insecure as they are easily broken. Although a salt was used, according to the article, 1 iteration count is considered very low, and makes it easy for hackers to obtain the master password through brute force. For comparison, the article provides information that 10,000 iterations is considered the minimum acceptable value, and other password managers, like LastPass, use 100,000 iterations.
What is strange is that someone reported this bug nine years ago, and the Mozilla team just never fixed the issue. They did not provide a reason that they did not fix it, but used the chance to generate excitement for its upcoming password manager called Lockbox. According to the post on the bug report, a solution of switching to the Argon2 library for hashing passwords would be more secure than SHA-1, but based on the above comments it does not seem like Mozilla wants to invest any resources into fixing this issue. In order to protect themselves, users can stop using the Firefox password saving feature and turn off their master password and store their passwords in a third party password manager, such as KeePass, 1Password, Enpass or LastPass.
– Justin Stein