
Firefox Master Password System Has Been Poorly Secured for the Past 9 Years - ekianjo
https://www.bleepingcomputer.com/news/security/firefox-master-password-system-has-been-poorly-secured-for-the-past-9-years/
======
jcranmer
Master passwords have a very narrow threat model that they are actually
protecting against: it's protecting against people who have access to the
password database (i.e., filesystem access) but not people who have access to
ptrace-privileges (i.e., the ability to read the password directly out of
process memory). Which pretty much means the only realistic use case is
someone stole your laptop, but full-disk encryption is a much more relevant
solution.

Mozilla has known for a very long time that the master password system isn't
very effective. Even a decade ago, I remember them recommending not using it.

~~~
vbezhenar
That's why my passwords in text file and I consider it fine. If someone breaks
into my machine and I won't notice it, password will be keylogged anyway. The
only true defense would be hardware-protected external password storage, but
I'm not aware of any.

~~~
pasta
People looking over your shoulders, you sending a screenshot where you forgot
the open file in the background.

I agree a text file is 'secure' enough for you but a lot of password systems
also hide the password in the UI which is a pro inho (I use KeePass).

~~~
Ntrails
How often do you send screenshots on the internet without looking at them
before you send? I mean, I know if I screenshot a browser for example some
nerd will comment on all my bookmarks other tabs etc (because if it's someone
else posting the screenshot the nerd is me).

A file in a place not immediately obvious to a casual browser without obvious
references to what it is seems broadly fine to me. (I don't bother, Instead
just re-use passwords because I'm a horrible person)

------
zaarn
While I would generally agree that the master password in Firefox is rather...
non-ideal, to use a friendly term, I think the article is blowing it a bit.

Most users that I know use the master password system in combination with a
very long master password. That should protect against some brute-forcing but
everyone should at best not use the master password at all.

I think Mozilla might be better off by removing the internal password manager
entirely and instead providing an interface for password managers (and ship a
simple one with firefox that doesn't have a password protection, users can
then pick a proper password manager on their own)

~~~
mcintyre1994
Don't most users just stick with the default though? The shipped password
manager going from one with a master password to one without would just mean
most users have less security.

~~~
zaarn
Most users don't use the master password at all so most users will have the
same security.

Users with master password will have to be informed they need to find a new
solution.

~~~
baby
I'm not sure I see the point here, what is the threat model? I guess it does
not include laptop protected by full disk encryption?

~~~
zaarn
The threatmodel of the masterpassword is usually a variation of "attacker on
your local system".

~~~
yjftsjthsd-h
...who can keylog your master password?

It still makes the attack harder, I grant, but not that much harder.

~~~
s_gourichon
Good point. Nowadays, keylogging the master password is AFAIK easier for an
attacker than tracing processes. This is still current:
[https://blog.invisiblethings.org/2011/04/23/linux-
security-c...](https://blog.invisiblethings.org/2011/04/23/linux-security-
circus-on-gui-isolation.html)

~~~
zaarn
I wish Linux would implement a modern Secure Attention Mode (it has one but
that kills all processes).

It could be as simple as having a syscall that connects a process directly
with the keyboard and does not let any other process intercept any keyboard
input until the program lets go or times out (180s, after that the program
isn't allowed to get SAM anymore for another 180s)

~~~
yjftsjthsd-h
I feel that kernel-level handling would get messy. Just to name one thing that
comes to mind: how would you handle multi-seat systems? Oh, or accessibility;
say, there is no physical keyboard, just a touchscreen and onscsreen keyboard
that you've just blocked from displaying. Yes, you could handle it, but by the
time you've hit a few of these the code will be... inelegant.

~~~
zaarn
I've actually thought about this for a bit and it's not as complicated.

If a physical keyboard is present, the program is assigned to the keyboard of
the current user's seat (works with sudo since that only sets effective
UID/GID not real UID/GID)

Additionally, a program with root privileges (or a special CAP) can register
itself as a HID in which case the SAM captures any HID's + keyboards of the
current seat.

Any complex setup would therefore be pushed out of the kernel but still
provide reasonable security. An additional edgecase can be seen in debuggers
which can be reasonably circumvented by having the SAM mode provide a few
pages of memory that aren't mapped into any memory but the current process so
a debugger can't read the password.

A software keylogger would require strict root privileges to circumvent this
system.

------
josefresco
Well to be fair, no other major browser even _has_ a master password feature.
I think the master password is good to stop "causal" hacking - by friends,
family and/or un-tech savvy thieves.

~~~
ocdtrekkie
Only the world's most popular browser also has it.
[https://www.ghacks.net/2013/12/04/google-chrome-gets-
master-...](https://www.ghacks.net/2013/12/04/google-chrome-gets-master-
password-protection/)

~~~
josefresco
Sort of...

The difference being that I can still "use" the passwords without this prompt
(FF does not allow this) and I'm still able to view the entire PW database,
which will show me usernames (but not passwords).

So, in fairness, Chrome has "sort of" implemented this feature (albeit in a
laughable insecure way) and quite obviously have left it to rot (2013?!) on
the digital vine.

------
chengiz
Well if you dont use a master password, the passwords are available with the
Show passwords button. Firefox's saved passwords feature is not meant to
protect against theft etc. (This is actually annoying to me, but I cant really
flaw the model; people want what they want and the browser needs to provide
it).

------
blattimwind
This code is actually part of NSS, I wonder whether this affects other
applications using the soft token db in a similar capacity.

[https://dxr.mozilla.org/mozilla-
central/source/security/nss/...](https://dxr.mozilla.org/mozilla-
central/source/security/nss/lib/softoken/sftkpwd.c#49)

It also processes salt||pw; while that's not a problem per se for password
hashing, I generally prefer unique encodings when hashing multiple fields,
such as len(salt)||salt||len(pw)||pw.

~~~
Yoric
Not sure, but I seem to remember that NSS is also used by Chrome.

~~~
robin_reala
Not any more: they went to their own fork of OpenSSL called BoringSSL.

------
raverbashing
Funny how the solution is always "a new system that's coming very soon"

Instead, they could just have added a for loop

------
lucb1e
This sounded like clickbait when reading the first bit (SHA1+iterations isn't
that bad, as the SHA1 vuln doesn't affect password hashing), but it turns out
the number of iterations is 1. That's not SHA1 "with a low iteration count",
that's just plain SHA1. And no salt it seems.

Pretty bad indeed, but then again: this is a master password you're setting.
The one password to rule them all ought to be strong anyway. If you do that,
it's perfectly safe.

~~~
dzek69
> The one password to rule them all ought to be pretty strong anyway.

The problem is that each year definition of "strong password" changes, because
of growing performance of CPUs and GPUs.

"Use a password manager" is always a good solution, I know. But well, who will
remember the super lengthy password for the password manager? ;)

~~~
victor_vhv
You can always use XKCD's password methodology ;)

[https://xkcd.com/936/](https://xkcd.com/936/)

~~~
daurnimator
Not really.... [https://boingboing.net/2014/02/25/choosing-a-secure-
password...](https://boingboing.net/2014/02/25/choosing-a-secure-
password.html)

~~~
dijit
I really, strongly, disagree with the core argument of this post.

His "solution" is to use shorter passwords. The XKCD method is good if you add
separators, padding, etc; as expressed featured on xkpasswd.net

I highly recommend generating a password and then adding something unique to
it.

For instance, a password I might generate would be:

$66=mine=BODY=spot=STOP=23$-d1j1t

It's memorable enough, and I highly doubt it's easily crackable. Certainly no
less than 'tlpw2m'.

~~~
KozmoNau7
Even just //44$random$WORDS$11// is effectively just as safe, in the real
world. Especially if you use gibberish words that aren't in any commonly used
dictionary.

------
interfixus
Thank heaven these days we have the KeePassXC browser plugin, finally
obviating even the temptation to rely on flimsy internal browser storage.

UI- and convenience-wise, this is as good as LastPass used to be - and perhaps
still is; I dropped them the day they were sold to some nefarious LockMeIn-
entity.

------
unhammer
Huh, first time I've heard of Mozilla Lockbox (
[https://www.bleepingcomputer.com/news/software/firefox-to-
ge...](https://www.bleepingcomputer.com/news/software/firefox-to-get-a-better-
password-manager/) / [https://mozilla-lockbox.github.io/lockbox-
extension/](https://mozilla-lockbox.github.io/lockbox-extension/) ). That's
great that they're working on a better alternative to the master password
thing; the UI also needed some work (that annoying modal blocking the browser
on every restart).

------
Finnucane
I just _assumed_ that passwords stored in the browser would be vulnerable if
someone got physical access to your computer. So never used that feature.

------
epanchin
I don’t think it’s an unreasonable guess than most people who use a master
password in Firefox do so to prevent family/friends sharing their PC from
easily discovering their passwords.

I can’t imagine them being too concerned with brute force attacks.

------
kup0
It's interesting how little attention this issue received throughout nine
years of time, especially when you see a 5-year gap between updates/comments
on the bug thread.

------
mattcoles
Since Firefox is open source, instead of just waiting for Mozilla engineers to
get around to it, couldn't someone just open a pull request?

~~~
s_gourichon
Sure. Could you just write a patch implementing the solution? I'll then open a
pull request submitting your patch, to save you some work. ;-)

In practice, this only works if you provide _the_ password manager that will
be chosen once and for all.

zaarn's suggestion "providing an interface for password managers" is an
interesting alternative.

~~~
mattcoles
Haha, it was just the attitude I'm seeing suggests that we're somehow at the
behest of Mozilla engineers and we just have to wait, but that's one of the
great benefits of open source, we really aren't.

And I haven't looked but I imagine changing the encryption algo isn't a huge
task, I wasn't suggesting that a non-Mozilla worker implement something huge
like zaarn's suggestion, which fwiw I think is awesome as I don't use FF
built-in password manager and find it just gets in the way.

~~~
hartator
My guees would be changing the algo is trivial, but insuring smooth upgrades
is not.

~~~
yoklov
I looked into this a while back and remember about as much. I think it was
also in the category of things that was harder to change with legacy addons
than it is now.

------
sneak
The same was true for GnuPG the last time I looked.

------
Antwan
Dixit the biggest blackmailer of the Internet (cf acceptable ads).

------
dzek69
That's nothing new. At least Thunderbird is full of annoying even 10 years old
bugs. Some important, some just annoying. I bet there's many more hidden
because of security.

