Master password should be protected with stronger cryptography
Categories
(Toolkit :: Password Manager, defect, P2)
Tracking
()
People
(Reporter: briansmith, Unassigned)
References
(Blocks 2 open bugs)
Details
(Keywords: sec-want, Whiteboard: [passwords:master-password], [passwords:primary-password])
Reporter | ||
Comment 1•11 years ago
|
||
Reporter | ||
Updated•11 years ago
|
Comment 2•11 years ago
|
||
Reporter | ||
Comment 3•11 years ago
|
||
Comment 4•11 years ago
|
||
Comment 5•11 years ago
|
||
Comment 6•11 years ago
|
||
Comment 7•11 years ago
|
||
Comment 8•11 years ago
|
||
Comment 9•11 years ago
|
||
Reporter | ||
Comment 10•11 years ago
|
||
Comment 12•11 years ago
|
||
Updated•11 years ago
|
Comment 13•11 years ago
|
||
Comment 14•11 years ago
|
||
Updated•11 years ago
|
Comment 15•11 years ago
|
||
Comment 17•10 years ago
|
||
Comment 18•10 years ago
|
||
Comment hidden (off-topic) |
Comment hidden (off-topic) |
Comment hidden (advocacy) |
Comment 22•10 years ago
|
||
Comment 23•10 years ago
|
||
Comment 24•10 years ago
|
||
Updated•9 years ago
|
Comment 25•9 years ago
|
||
Comment 26•9 years ago
|
||
Updated•8 years ago
|
Comment 28•8 years ago
|
||
Updated•7 years ago
|
Comment 29•7 years ago
|
||
Comment hidden (off-topic) |
Comment 31•7 years ago
|
||
Comment 32•7 years ago
|
||
Comment 33•7 years ago
|
||
Comment 34•7 years ago
|
||
Comment hidden (off-topic) |
Comment 37•7 years ago
|
||
Comment 40•7 years ago
|
||
Comment 42•5 years ago
|
||
We are actively looking into improvements for Master Password.
Comment 43•4 years ago
|
||
It's always struck me as a bit odd that the NSS (and therefore TB and Firefox) don't use OS native methods of storing encrypted information. For Thunderbird especially, this would be a VAST improvement over the current NSS roll-your-own. If you can't trust the OS to do it right (KeyChain on macOS, [gnome-]keyring on most *NIX, Credential Manager on Windows), there's no real benefit to a Master Password managed by an individual tool. In fact, it's arguably EASIER to recover passwords out of TB's store with access to the disk than it is to get them out of one of the OS managed approaches.
Has this sort of shift been discussed? Ressult?
Comment 44•4 years ago
|
||
I think this is being worked on, see bug 1463865 and dependencies.
Comment 45•4 years ago
|
||
@43 to be honest tho I kinda like the fact that mozilla keeps its own store (regardless of whether or not there is a master pass), makes migration a LOT easier especially when the OS is unbootable and you cannot trust old people to keep their passwords in one place (which isnt the browser or thunderbird) I mean I can literally copy over the profile and the user can continue as before no changes needed, which is especially helpful in windows to linux migration.
if there would be an OS level password store there should probably be some nice import function to import passwords you ripped out of the old one (if there even are tools for that)
Comment 46•4 years ago
|
||
I agree with what @My1 wrote above in comment #45.
I recently had to re-install my operating system (Debian) and I was able to reload my Firefox data from the backup I kept (by using rsync
). I just sycnhronized my profiles and various ".[configuation]" dot folders and files of the applications I intended to use.
I would like to see Gnome-Keyring integration so that my logging into the desktop would also feed the Firefox master password to Firefox upon my logging in, in the same way that Gnome-keyring handles my saved networking/VPN passwords and GPG keys.
However, I do not want my operating system to be itself saving the store of passwords for my Bugzilla/YouTube/Facebook/forums/etc that Firefox uses. I want Firefox to have a copy in its "dot file" in my profile unlocked by a master password. Having the operating system decrypt a copy of that master password and then feed that master password to Firefox is good, but I can live without it.
But it would be an inconvenience to me to have my operating system handle my log-in credentials for BugZilla/YouTube/Facebook/forums/etc.
PS: I use KeePass (KeePassXC), but it's nice to only have to refer to my KeePass database as a backup infrequently. It is very convenient to have Firefox also remember the passwords that are for websites. Additionally, browser integration with KeePass(XC) is not only redundant, but broken. Firefox never gets tricked, but every integration tool has done dangerous stuff like auto-fill my password into the wrong text box, like a search box. This is a big security issue that has turned me off to having password database programs interact with websites or web browsers.
Updated•3 years ago
|
Comment 47•3 years ago
|
||
@Brian Smith:
"The only strong permission boundary for your password storage is the OS user account."
I must disagree.
A good security concept always relies on several decent security layers.
There are scenarios, where only a second (real) encryption barrier prevents from disaster.
For example, the OS gets infected by a malware/trojan and the user doesn't open Thunderbird, nor enter the master password, up to the point, where the infection is discovered. In this case, all local content in the mail containers stays save, but ONLY, if strong and uncompromised encryption is applied, independet from the underlying OS.
In addition to that, since Thunderbird 78.x, GPG/PGP has been integrated directly into the main program.
This raises the stakes considerably, due to the fact, that the safekeeping of all private keys for decryption and signing of mails now are in the responsibility of Thunderbird's security concept itself, not some external implementation. Mind the disastrous trouble, if anyone non-authorized gets access to private GPG/PGP keys and passphrases of personal or business mail accounts.
You guys should take those factors into account, which obviously requires a significantly better local (nested) encryption layer concept.
Comment 48•3 years ago
|
||
I should add, that, if users do not manually type their passwords, but use a 3rd-party password manager, such as KeePassXC, it should be even more difficult to intercept and compromise TB/FF master password secured content, provided that Mozilla's implementation is up to its own task.
To eliminate the problem of old-fashioned use of the OS' clipboard, I'd suggest integrating a standardized interface, to which external password managers can connect (or vice-versa). This would also prevent the danger of copy-pasting credentials into absolutely wrong places, e. g. in case an OS, such as Windows, yields unexpected task switching functionality.
Perhaps there should be some kind of initial certificate-based application registration and per-use/per-session confirmation functionality in said password managers, to make sure, no unauthorized applications can cross-request credentials.
Btw., how does KeePassXC handle the encryption issue better, in comparison to FF/TB for master password based containers? It comes with a supposedly strong-encryption database container; could this perhaps even be used as an external secure storage for Mozilla?
Updated•2 years ago
|
Comment 49•2 years ago
|
||
The severity field for this bug is relatively low, S3. However, the bug has 3 duplicates, 30 votes and 85 CCs.
:serg, could you consider increasing the bug severity?
For more information, please visit auto_nag documentation.
Comment 50•2 years ago
|
||
The last needinfo from me was triggered in error by recent activity on the bug. I'm clearing the needinfo since this is a very old bug and I don't know if it's still relevant.
Comment 51•2 years ago
|
||
I don't know if it's still relevant.
It's still relevant. If anything, it is worse today than 9 years ago because generally crypto gets weaker over time as horsepower increases.
Description
•