Mozilla has come under fire from the author of AdBlock Plus over its password management on the popular Firefox web browser. Wladimir Palant says the open source browser has a master password bug that is nine-years old. He says a hacker could crack the password in around a minute under the current system.
Palant points out Firefox only uses one iteration of the SHA-1 hash function that encrypt the master password. This limited amount of has encryption is simply not enough. Indeed, in his report, Palant points out at least 100,000 iterations of SHA-1 are needed to combat brute force attacks.
Users are increasingly turning to third-party password management services, but most normal users still use the built-in password protections on browsers. It seems Firefox in its current guise is woefully underprepared for attacks.
“The problem here is: GPUs are extremely good at calculating SHA-1 hashes. Judging by the numbers from this article, a single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second.
This article estimates that the average password is merely 40 bits strong, and that estimate is already higher than some of the others. In order to guess a 40 bit password you will need to test 239 guesses on average. If you do the math, cracking a password will take merely a minute on average then.”
The article Palant discusses is this one from Microsoft. Firstly it’s from way back in 2006, so the reference of an average password being at 40 bits is debatable. However, Palant is quick to point out the character length is largely unimportant.
“Whether you have a four characters master password or a ten characters one doesn’t matter much – the latter is an inconvenience to you but usually doesn’t improve security considerably.”