The last 9 years Firefox has not protected user passwords carefully

A new cyber security researcher found that during the past 9 years, Firefox has stored user passwords with an outdated process and can be hacked by GPUs in less than 1 minute.

Both Firefox and Thunderbird allow users to set up Master Pasword for greater security, using the SHA1 style code (which is easy to crack) over the past 9 years.

This problem was discovered by Wladimir Palant, the author of the AdBlock Plus extension. But it is worth mentioning that Wladimir mentioned this issue 9 years ago but was not overcome by Mozilla.

The last 9 years Firefox has not protected user passwords carefully Picture 1
The password stored on Firefox turned out to be not safe at all

Palant said: 'I look at the source code and finally find the sftkdb_passwordToKey () function to switch from the password (website) to the encoded character string (key) using the SHA1 code with 1 string of your password and 1 random string. Anyone who has ever designed a login function for a website will see the problem here . '

Palant reiterated the problem and Mozilla said it would fix it when it released a new password management tool, Lockbox. In the meantime, Firefox users who want to secure their data should use a longer and more complex password.

See more:

1. Why should you turn off the Autofill feature in the password manager?
2. 3 golden rules to avoid fake attacks
3. How to use password management Lockbox in Firefox Quantum