The first problem is that using the aging SHA-1 is considered weak because, as Palant says, “GPUs are extremely good at calculating SHA-1 hashes.” Thereafter, when the user enters the master password, the software simply compares a hash of the password you enter with your master password’s hash – if the two match, the user has entered the correct password. In Firefox’s case, this turns the master password into a hash value by adding a random string to the password (a ‘salt’) and applying the SHA-1 algorithm. Which is why Mozilla offers users the option to protect passwords behind a master password set through Tools > Privacy & Security > Use a master password. It is common knowledge that storing passwords there without defining a master password is equivalent to storing them in plain text. This design is secure from only the most casual attacks, as Palant notes: The problem is the key to unlock the logins.json file used to store these passwords can be found in a file called ke圓.db. Developer Wladimir Palant (of Adblock Plus fame) has uncovered a big security weakness in the way Firefox secures browser passwords behind a master password.įirefox users who save browser passwords without a master key are, in theory, protected from attackers with access to their computer by encryption.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |