If you use Firefox and save your passwords in the browser, you may know the master password function offered by the Mozilla browser that is used to protect all passwords stored in the browser from unwanted eyes.

As it turns out, for almost a decade Mozilla has been using an encryption system practically useless currently for its master password feature. It can be broken in a minute using brute force.

A ridiculously weak encryption scheme

The master password is supposed to encrypt the stored passwords and protects them from this. But in the case of Firefox is using SHA-1 (Secure Hash Algorithm 1) and it is so weak that using a brute force attack, it can be broken in a moment.

SHA-1 is an encryption algorithm can be broken with brute force attacks has already been demonstrated. According to Wladimir Palant, the encryption scheme used by the Firefox master password function has an iteration count of 1, which means that it is applied only once, while the industry recommends a minimum of 10,000 times, and password managers like LastPass use values of 100,000.

Wladimir Palant, famous for being the author of AdBlock Plus, is not the first to notice the vulnerability in Firefox. In an entry in the Mozilla bug tracker, there is already a report of the same problem nine years ago, shortly after the master password function was launched.

In all that time Mozilla seems to have had no interest in addressing this problem, instead, they say that the release of Lockbox, the new password manager that Firefox will have, even without an exact launch date, will be the solution to the problem. Meanwhile, T2M URL Shortener recommendation would be not to save the passwords in the browser, an independent password manager is a better option, although they are not infallible either.