Firefox Master Password Security Issues

A lot of people use the save password feature in browsers so that they don’t have to be bothered to enter their passwords on websites they visit often. Firefox offered users the option of implementing a master password, so that the user would need to enter that password in order to use their bank of saved passwords.

What was just brought to light is that Firefox uses a very low standard of encryption that can be cracked in just a few seconds if the hash is found. SHA-1 hashes were used, which are very insecure as they are easily broken. Although a salt was used, according to the article, 1 iteration count is considered very low, and makes it easy for hackers to obtain the master password through brute force. For comparison, the article provides information that 10,000 iterations is considered the minimum acceptable value, and other password managers, like LastPass, use 100,000 iterations.

What is strange is that someone reported this bug nine years ago, and the Mozilla team just never fixed the issue. They did not provide a reason that they did not fix it, but used the chance to generate excitement for its upcoming password manager called Lockbox. According to the post on the bug report, a solution of switching to the Argon2 library for hashing passwords would be more secure than SHA-1, but based on the above comments it does not seem like Mozilla wants to invest any resources into fixing this issue. In order to protect themselves, users can stop using the Firefox password saving feature and turn off their master password and store their passwords in a third party password manager, such as KeePass, 1Password, Enpass or LastPass.

– Justin Stein



Google to Begin Phasing Out SHA-1

On September 5th, Google announced that it will begin ‘sunsetting’ the SHA-1 cryptographic hash algorithm.  This algorithm was designed almost a decade ago in 2005 and Google is now telling the world that it has not withstood the test of time.  SHA-1 is currently used in SSL encrypted certificate signatures for HTTPS.  This allows a website to encrypt your connection to the site and verify that the site you are connecting to is genuine.

In its statement, Google cites the ease and affordability of collision attacks against SHA-1 for the decision to phase out the algorithm.  Basically, this means that Google is worried that nefarious individuals will engineer certificates that produce the same SHA-1 hash as the legitimate HTTPS certificates.  This would allow these individuals to pose as a legitimate site, such as, in order to scam, phish, or infect users.

How will this problem be fixed?  In the short term, Google will soon be changing the visual security indicator for HTTPS in Chrome to alert users of the issue.  Additionally, Google is looking towards the successor of SHA-1, SHA-2, to replace the outdated cryptographic hash algorithm.  SHA-2 provides substantially more security and is supported by nearly every current operating system and browser.  Google also is not alone in this fight: both Microsoft and Mozilla have announced plans to move away from SHA-1 in the future.

-Tyler Zimmermann