A security researcher has discovered that Firefox has been protecting your stored passwords weakly for the past 9 years, using an outdated scheme which can be cracked by modern GPUs in less than 1 minute.
Firefox and Thunderbird both allow users to set up a Master Password for additional security, and has been using SHA1 for the last 9 years, which is easily cracked.
The flaw was discovered by Wladimir Palant, the author of the AdBlock Plus extension, but interestingly was raised as an issue 9 years ago when it was introduced, but the flaw was never addressed then.
“I looked into the source code,” Palant says, “I eventually found the sftkdb_passwordToKey() function that converts a [website] password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password.”
“Anybody who ever designed a login function on a website will likely see the red flag here,” Palant says.
Palant has now resurrected the bug report, and Mozilla says the issue will be fixed when their new password manager, Lockbox, is introduced in the near future. In the meantime, Firefox users concerned about protecting their data at rest can improve their security by using a longer and more complex master password.