We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Does anyone know what encryption algorithm is used to protect my Firefox user IDs & passwords on my computer & the bit-length of the Master Password?

  • 9 respostas
  • 2 have this problem
  • 1 view
  • Last reply by Rich

more options

I expect to see AES algoritym and at least 256 bit password length (or better) to protect the ID/Password file on my computer. If not, then I will stick with my third-party password manager application.

I expect to see AES algoritym and at least 256 bit password length (or better) to protect the ID/Password file on my computer. If not, then I will stick with my third-party password manager application.

Chosen solution

Firefox's Master Password implementation has been criticized for only hashing once. An update to the NSS library released last week will now hash 10,000 times by default (if I'm reading the following correctly). Applications can specify a lower value, so I don't know how many iterations Firefox will actually use (performance could be a consideration?). This is expected to roll out in Firefox 72 in January after the completion of beta testing.

Ler a resposta no contexto 👍 2

All Replies (9)

more options
more options

Sorry, PKCS is the basis for HTTPS communications. I am asking about how the the database file for the Firefox ID's and passwords is encrypted. The underlying question I have is "Can I trust the security used to encrypt the password data file or is it just "pretend" security?" If I create a strong password for my financial IDs and the database encryption can be easily decrypted by a hacker, I'm screwed.

FYI - I am using an application called Web Confidential to store my ID/password records. It uses the Blowfish encryption algorithm with a 256 bit master password.

more options

I believe you may find an answer on this thread: https://support.mozilla.org/en-US/questions/1041243 cor-el gives an excellent description of what happens to passwords

more options

It is like playing the game of "Hot & Cold". We are getting "Warm". Identifying the name of the "key file" is good. The question now becomes "How is the key file encrypted?" It cannot be just plain text.

Perhaps someone from the Mozilla staff can answer my question. Do they have a moderator for this forum?

Thank you for your help.

more options

cor-el is a moderator of this forum.

more options

Anyways, here's what firefox says regarding that: "Even though the Password Manager stores your usernames and passwords on your hard drive in an encrypted format, someone with access to your computer user profile can still see or use them. The Use a Master Password to protect stored logins and passwords article shows you how to prevent this and keep you protected in the event your computer is lost or stolen." ~ https://support.mozilla.org/en-US/kb/password-manager-remember-delete-edit-logins

more options

If you want an exact answer as to how the encryptor / decryptor works, it uses hashes. Taken from https://archive.mozilla.org/pub/firefox/releases/71.0/source/ , here is the firefox-71.0/services/crypto/modules/utils.js on pastebin: https://pastebin.com/URTDppdB

more options

Chosen Solution

Firefox's Master Password implementation has been criticized for only hashing once. An update to the NSS library released last week will now hash 10,000 times by default (if I'm reading the following correctly). Applications can specify a lower value, so I don't know how many iterations Firefox will actually use (performance could be a consideration?). This is expected to roll out in Firefox 72 in January after the completion of beta testing.

more options

Thank you Zack & jsher2000. The last two replies helped a lot.

A hash algorithm was not what I was hoping to see used by Firefox. I can understand the many design requirements that need to be met when implementing security for the IDs & passwords.