Closed
Bug 1311233
Opened 8 years ago
Closed 8 years ago
Master Password keyspace 112 bits -- not quantum-proof
Categories
(Firefox :: Security, defect)
Tracking
()
RESOLVED
DUPLICATE
of bug 973759
People
(Reporter: jonathan.chiarella, Unassigned)
Details
User Agent: Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:49.0) Gecko/20100101 Firefox/49.0 Build ID: 20160928160550 Steps to reproduce: Create a master password. Actual results: The master password is used with 3DES to encrypt the password database. Expected results: Firefox and Thunderbird use a Master Password for encrypting saved passwords. The problem is that 3DES has an effective keyspace of 112 bits, cracked on average in 2^111 time. With a quantum computer, the effective keyspace is 56 bits, and can be cracked in 2^55 time (on average). Everything else I use implements quantum-proofed protections (excepting PGP keys themselves) and to stay above board with US federal requirements, it is necessary to use AEAD or some long digest that can't be easily cracked with the BHT logarithm, it is necessary to use longer key sizes for encryption so that Grover's algorithm won't weaken encryption keys to the point of vulnerability. It has been recommended for years to increase the size of plain hashes used for signatures and audited files to SHA-384 or SHA-512 and use AES256 or Twofish. Until 3DES is finally laid to rest, I cannot recommend organizational practice of storing passwords in Firefox. Until then, the only options available are to do LUKS full device encryption on every computer (not feasible) or to copy-and-paste all passwords from KeePass(X) every single time someone goes to a website.
Updated•8 years ago
|
Component: Untriaged → Security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•