Does anyone know what encryption algorithm is used to protect my Firefox user IDs & passwords on my computer & the bit-length of the Master Password?
I expect to see AES algoritym and at least 256 bit password length (or better) to protect the ID/Password file on my computer. If not, then I will stick with my third-party password manager application.
Chosen solution
Firefox's Master Password implementation has been criticized for only hashing once. An update to the NSS library released last week will now hash 10,000 times by default (if I'm reading the following correctly). Applications can specify a lower value, so I don't know how many iterations Firefox will actually use (performance could be a consideration?). This is expected to roll out in Firefox 72 in January after the completion of beta testing.
- https://developer.mozilla.org/docs/Mozilla/Projects/NSS/NSS_3.48_release_notes#Notable_Changes_in_NSS_3.48
- https://bugzilla.mozilla.org/show_bug.cgi?id=1592007
All Replies (9)
Sorry, PKCS is the basis for HTTPS communications. I am asking about how the the database file for the Firefox ID's and passwords is encrypted. The underlying question I have is "Can I trust the security used to encrypt the password data file or is it just "pretend" security?" If I create a strong password for my financial IDs and the database encryption can be easily decrypted by a hacker, I'm screwed.
FYI - I am using an application called Web Confidential to store my ID/password records. It uses the Blowfish encryption algorithm with a 256 bit master password.
I believe you may find an answer on this thread: https://support.mozilla.org/en-US/questions/1041243 cor-el gives an excellent description of what happens to passwords
It is like playing the game of "Hot & Cold". We are getting "Warm". Identifying the name of the "key file" is good. The question now becomes "How is the key file encrypted?" It cannot be just plain text.
Perhaps someone from the Mozilla staff can answer my question. Do they have a moderator for this forum?
Thank you for your help.
cor-el is a moderator of this forum.
Anyways, here's what firefox says regarding that: "Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer user profile can still see or use them. The Use a Master Password to protect stored logins and passwords article shows you how to prevent this and keep you protected in the event your computer is lost or stolen." ~ https://support.mozilla.org/en-US/kb/password-manager-remember-delete-edit-logins
If you want an exact answer as to how the encryptor / decryptor works, it uses hashes. Taken from https://archive.mozilla.org/pub/firefox/releases/71.0/source/ , here is the firefox-71.0/services/crypto/modules/utils.js on pastebin: https://pastebin.com/URTDppdB
Chosen Solution
Firefox's Master Password implementation has been criticized for only hashing once. An update to the NSS library released last week will now hash 10,000 times by default (if I'm reading the following correctly). Applications can specify a lower value, so I don't know how many iterations Firefox will actually use (performance could be a consideration?). This is expected to roll out in Firefox 72 in January after the completion of beta testing.
Thank you Zack & jsher2000. The last two replies helped a lot.
A hash algorithm was not what I was hoping to see used by Firefox. I can understand the many design requirements that need to be met when implementing security for the IDs & passwords.