Closed
Bug 1671759
Opened 4 years ago
Closed 4 years ago
RNP-01-006 WP2 Thunderbird: Evaluation of password strength insufficient (Low)
Categories
(MailNews Core :: Security: OpenPGP, defect)
Tracking
(thunderbird_esr78 wontfix, thunderbird83 wontfix)
RESOLVED
FIXED
84 Branch
People
(Reporter: wsmwk, Assigned: mkmelin)
References
Details
Attachments
(1 file)
10.22 KB,
patch
|
patrick
:
review+
|
Details | Diff | Splinter Review |
It was observed that the password strength evaluation function included in the Thunderbird OpenPGP module is highly insufficient.
Affected File:
comm/mail/extensions/openpgp/content/modules/passwordCheck.jsm
Affected Code:
The entire file constitutes the affected code. The password strength algorithm suffers from the following issues:
- Small “banlist”: A list of roughly 500 banned password items is provided in the COMPLEXIFY_BANLIST variable, which largely has negligible impact on the security of the password evaluation process.
- Insufficient logic: A password evaluation logic based on minimum characters and the “banlist” above is employed. However, this logic meant that the passwords “password123” and “harrypotter” (among others) were deemed secure, despite being some of the most used passwords in the world.
This functionality does not appear to currently be called from anywhere within the extension, therefore there is no practical security impact. Nevertheless, it is still recommended to either address the password strength algorithm’s weaknesses or to remove the code entirely in order to prevent potential future misuse.
Assignee | ||
Comment 1•4 years ago
|
||
Actually, this is not used at all in Thunderbird so the whole file can go.
Assignee: nobody → mkmelin+mozilla
Status: NEW → ASSIGNED
Assignee | ||
Updated•4 years ago
|
Attachment #9182577 -
Flags: review?(patrick)
Updated•4 years ago
|
Attachment #9182577 -
Flags: review?(patrick) → review+
Assignee | ||
Comment 2•4 years ago
|
||
No need to uplift.
Status: ASSIGNED → RESOLVED
Closed: 4 years ago
status-thunderbird83:
--- → wontfix
status-thunderbird_esr78:
--- → wontfix
Resolution: --- → FIXED
Target Milestone: --- → 84 Branch
Reporter | ||
Updated•4 years ago
|
Mentor: alessandro
Reporter | ||
Updated•4 years ago
|
Mentor: alessandro
Updated•4 years ago
|
Group: mail-core-security → core-security-release
Reporter | ||
Updated•3 years ago
|
Group: core-security-release
You need to log in
before you can comment on or make changes to this bug.
Description
•