Mozilla Master Password Feature Apparently Not as Secure as It Seems

While the Mozilla Firefox web browser was always regarded as one of the more popular browsers (along with Google Chrome and the many iterations of Microsoft’s web browser), it appears that one of its lauded security features is not as effective as it appears. According to Wladimir Palant, the creator of the AdBlock Plus extension, the encryption mechanism used in Mozilla Firefox and Thunderbird’s “master password” feature can easily be subject to brute force attacks.

The master password feature acts as an encryption key for user password strings saved in the browser or email client. The main issue with the feature is found in its SHA-1 function, which possess an iteration count of 1. This is in contrast with standard industry practices, which use at least 10,000 iterations as a minimum. Given the advancements in GPU technology, the low iteration count allows an attacker to perform brute-force attacks to retrieve the master password, which will allow decryption of the encrypted passwords stored in the Mozilla databases within a minute.

This is not the first time that issues with the master password has emerged — a  bug report from nearly a decade ago pointed out the flaw in the system.

Mozilla is currently in the midst of testing a new password manager codenamed Lockbox, which will provide improved password management and online security. Lockbox, which is available as an extension, is currently in alpha testing.

The Importance of Strong Passwords

Although the implementation of features such as Mozilla’s master password component is laudable, it still has its share of flaws. Thus, users should not just rely on built-in password managers to secure their online accounts, but also ensure that their own credentials are as strong as possible.

Given the emergence of alternative authentication methods such as fingerprint scanners, voice, and even facial recognition systems, it might seem that passwords are on the way out. However, the simplicity and ease of use of password-based systems will always mean that they can thrive – either as a primary or supplementary authentication method. 

One of the most effective ways to minimize any potential compromise of online accounts is to avoid using a single password across different accounts. Although it requires more effort on the part of the user, it also increases overall security. Fortunately, there are ways to store passwords automatically via applications that can store and handle passwords.Of course, this also involves using a master password, which should be as secure as possible – but then again, remembering one complicated password is easier than remembering multiple ones.

Other tips for password creation:

  • Avoid using common or easily-guessable passwords: Common or sequential passwords such as ABCDEFG or 123456 should be avoided, as these are often the first tried when performing brute force attacks.
  • Consider using acronyms to remember passwords: Using different passwords for multiple sites can often lead to confusion. One of the techniques that can be used to remember passwords is to use acronyms that relate to the website in which the account is being used.

Another option for users is to set up two-factor authentication (2FA) for websites and applications that have this feature. 2FA provides an additional layer of security for online accounts that cannot be obtained through passwords alone.


Like it? Add this infographic to your site:
1. Click on the box below.   2. Press Ctrl+A to select all.   3. Press Ctrl+C to copy.   4. Paste the code into your page (Ctrl+V).

Image will appear the same size as you see above.

Posted in Online Privacy