Mozilla was left red-faced this morning as a software developer discovered a flaw in Firefox and Thunderbird’s password manager which was nine years old.
Wladimir Palant, who developed the Adblock Plus extension, found a red flag when looking through the source code. He discovered the sftkdb_passwordToKey() function that converts a password into an encryption key by means of applying SHA-1 hashing to a string consisting of a random salt and your actual master password.
SHA-1 (Secure Hash Algorithm 1) is a cryptographic hash function which takes an input and produces a 160-bit (20-byte) hash value known as a message digest – typically rendered as a hexadecimal number, 40 digits long. Since 2005 SHA-1 has not been considered secure against well-funded opponents, and since 2010 many organizations have recommended its replacement by SHA-2 or SHA-3.
On his blog, Palant wrote: “Anybody who ever designed a login function on a website will likely see the red flag here. GPUs are extremely good at calculating SHA-1 hashes. A single Nvidia GTX 1080 graphics card can calculate 8.5 billion SHA-1 hashes per second. That means testing 8.5 billion password guesses per second. And humans are remarkably bad at choosing strong passwords.”
Palant then visited Bugzilla to find that the NSS bug had been identified nine years previously.
No tags.
