Master password in Firefox or Thunderbird? Do not bother!

There is a weakness common to any software letting you protect a piece of data with a password: how does that password translate into an encryption key? If that conversion is a fast one, then you better don’t expect the encryption to hold. Somebody who gets hold of that encrypted data will try to guess the password you used to protect it. And modern hardware is very good at validating guesses.

Case in question: Firefox and Thunderbird password manager. It is common knowledge that storing passwords there without defining a master password is equivalent to storing them in plain text. While they will still be encrypted in logins.json file, the encryption key is stored in key3.db file without any protection whatsoever. On the other hand, it is commonly believed that with a master password your data is safe. Quite remarkably, I haven’t seen any articles stating the opposite.

However, when I looked into the source code, I eventually found the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password. Anybody who ever designed a login function on a website will likely see the red flag here. This article sums it up nicely:

Out of the roughly 320 million hashes, we were able to recover all but 116 of the SHA-1 hashes, a roughly 99.9999% success rate.

The problem here is: GPUs are extremely good at calculating SHA-1 hashes. Judging by the numbers from this article, a single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second. And humans are remarkably bad at choosing strong passwords. This article estimates that the average password is merely 40 bits strong, and that estimate is already higher than some of the others. In order to guess a 40 bit password you will need to test 239 guesses on average. If you do the math, cracking a password will take merely a minute on average then. Sure, you could choose a stronger password. But finding a considerably stronger password that you can still remember will be awfully hard.

Turns out that the corresponding NSS bug has been sitting around for the past 9 (nine!) years. That’s also at least how long software to crack password manager protection has been available to anybody interested. So, is this issue so hard to address? Not really. NSS library implements PBKDF2 algorithm which would slow down bruteforcing attacks considerably if used with at least 100,000 iterations. Of course, it would be nice to see NSS implement a more resilient algorithm like Argon2 but that’s wishful thinking seeing a fundamental bug that didn’t find an owner in nine years.

But before anybody says that I am unfair to Mozilla and NSS here, other products often don’t do any better. For example, if you want to encrypt a file you might be inclined to use OpenSSL command line tools. However, the password-to-key conversion performed by the openssl enc command is even worse than what Firefox password manager does: it’s essentially a single MD5 hash operation. OpenSSL developers are aware of this issue but:

At the end of the day, OpenSSL is a library, not an end-user product, and enc(1) and friends are developer utilities and “demo” tools.

News flash: there are plenty of users out there not realizing that OpenSSL command line tools are insecure and not actually meant to be used.

Update (2020-06-10): The NSS bug has been resolved and the change made it into Firefox 72. The default is now 10,000 iterations which isn’t great but a lot better than where we came from. What I cannot figure out is what happens to existing key files. As I cannot find any migration code, it could be that these are stuck with one iteration and only new profiles get better security.

Comments

  • Caspy7

    You say “do not bother,” but is there not at least merit in deterring casual or unsophisticated actors from accessing your passwords? Say a sibling or roommate who gets on your computer.

    Wladimir Palant

    Yes, I have been a bit provocative in the title. But with the current state it is sufficient that the password manager won’t just show anybody your passwords. Whether you have a four characters master password or a ten characters one doesn’t matter much – the latter is an inconvenience to you but usually doesn’t improve security considerably.

  • Christian Holler

    The Firefox password manager indeed is not as strong as it would be expected nowadays (it also is much much older than any of the techniques you describe). This is why Mozilla is working on the Lockbox extension for Firefox, a new password manager with adequate security and that allows secure syncing via Firefox Sync (which in general guarantees that your data can only be decrypted on your machine(s)). See also https://mozilla-lockbox.github.io/lockbox-extension/ if you want to take a look and contribute! :)

    Wladimir Palant

    As I mentioned in bug 524403, I don’t think that chasing yet another great rewrite will solve any issues. I did have a look a while ago already, but Lockbox has a huge disadvantage: it relies on Firefox Accounts. Should it ever replace the password manager in Firefox, I don’t see its adoption to be too high if that doesn’t change. And if the dependency on FxA is dropped, then it will likely again boil down to securing NSS. Which should really be a no-brainer.

    Wladimir Palant

    Just to make it more clear: I have seen Mozilla kill too many promising projects, so I’ll only believe it when I see it happen. Nobody knows at this point whether Lockbox will ever get a chance to solve any issues or when that might happen. In the meantime, there is nothing wrong with spending an hour to fix what we have right now.

  • Greg

    A quick “fix” would be adding some text to the master password creation dialog telling people to use KeepassXC or another password manager to generate and store their password, and requiring the master password to be at least 25 characters.

    Wladimir Palant

    lol, that’s why people use the password manager :)

  • silf

    If you can crack a SHA1 password with 40 bit under a minute (based on the 8.5 billion SHA1/sec.
    However based on the https://gist.github.com/epixoip/a83d38f412b4737e99bbef804a270c40 this means you can also crack SHA-256 in under 3 minutes. I mean brute force is brute force.
    Did you know that Chrome also uses NSS (on linux) probably with the same master password complexity.

    Wladimir Palant

    Of course, switching from SHA-1 to SHA-256 isn’t going to improve security in a significant way. Passwords have to be hashed with a slow hashing function, at the very least PBKDF2 with an appropriate number of rounds.

    I know that Chrome uses NSS, but AFAIK not for storing passwords. In fact, Chrome generally doesn’t do master passwords, stating that once your OS account has been breached you already lost. This argument makes sense when you are thinking in terms of security boundaries, yet master passwords still offer value – there aren’t too many people who will perform the clearly illegal action of installing a keylogger on your machine, yet way more won’t mind extracting data from it if they find it unlocked. Either way, while I didn’t look into it closely, I assume that Chrome uses the same mechanism for protecting passwords that they use for cookies. At least on Windows they use an encryption mechanism provided by the OS to encrypt that data. This encryption key is tied to your user account and only available when you are logged in. Whether that’s worse or better than what Firefox provides you with is a matter of discussion.

    Mind you, Chrome is far from perfect of course. See for example my next blog post: https://palant.de/2018/03/13/can-chrome-sync-or-firefox-sync-be-trusted-with-sensitive-data

  • Nicolas

    You are complaining that a key derivation uses a weak primitive. It’s a key derivation function. The salted hash isn’t stored anywhere, so you’re not going to retrieve it to brute force it.

    What is stored is the ciphertext and salt. Where would an attacker get the hash from?

    Whether you’re using MD5 or a bad SHA doesn’t affect that you are deriving a key from a passphrase. Most ciphers require a fixed length key, and using a hash provides a deterministic way to generate a fixed length string.

    “Password-based key derivation in OpenSSL command-line functions could do with some modernization” <- could do not should do.

    Wladimir Palant

    The salted hash is stored in the database, it’s being used to tell you whether the master password you entered is correct. But even if it weren’t, the hash isn’t the only way to do bruteforcing. In order to validate your guess, you can always try to do decrypting – the correct plaintext is an ASN.1 encoded private key. Sure, decrypting would slow the attack down a bit but only insignificantly.

  • Corey

    Why are we surprised that the Firefox master password system is susceptible to decryption when you use a weak master password?

    You said “Sure, you could choose a stronger password. But finding a considerably stronger password that you can still remember will be awfully hard.” I disagree. A longer password – especially a passphrase, with punctuation and all – is not that hard to remember. I don’t think you focused nearly enough on the security difference here. How secure is a 240 bit passphrase in Firefox’s system, for comparison? What about 320 bits? I don’t use Firefox anymore, but when I did, my master password was almost 40 characters long. If such a password is insufficient, then to me that sounds like a bigger deal than it not securing passwords that are shorter than recommended, anyway.

    Wladimir Palant

    You seem to be mistaking passphrase length for password strength. Even if your passphrase is 320 bit long, it typically won’t have that much entropy – usually in the area of 40 bits or slightly more than that. A truly random password would be safe even in this scenario but people cannot remember those. Either way, they shouldn’t have to – there are trivial measures that can be taken to protect against bruteforcing.

  • Ronald M

    Since I forgot my master password for Firefox and it contains some important logins I haven’t backed up as well. Could somebody here please explain in easy steps how I can retrieve it? Thanks a lot! Ronald

    Wladimir Palant

    I guess that you download the cracking software from http://www.securityxploded.com/firemaster.php and run it. It’s linked from the bug report I mentioned, never tried it myself though.

  • Ronald M

    I’ll have to contact them because even their own commandline examples do not work and their gui version only supports wordlists. So for now, until there’s a tool that enables combination attacks (maybe a hashcat mod), a firefox master password is still hard to crack unfortunately :(

  • Chandresh

    Would you have any suggested alternatives to master password here? E.g. a recommended length/complexity of the master password as a minimum? Any other password manager that may be used and integrated with firefox/thunderbird?

    Wladimir Palant

    Obviously, I use my PfP extension myself – that works for Firefox and can generate a long master password for Thunderbird. I’d say that any master password complex enough to keep that graphics card busy for at least a year would be sufficiently secure. This means that 5.4⋅10¹⁷ possible combinations (roughly 59 bits) is your lower bound. The default password complexity for PfP allows for 4.2⋅10³⁰ combinations (more than 100 bits), so that’s actually way more than necessary here.

    Not everybody wants to use my hobby project of course. As far as other password managers go, 1Password is currently the only one I can recommend security-wise.