1671759 - RNP-01-006 WP2 Thunderbird: Evaluation of password strength insufficient (Low)

Status: RESOLVED FIXED

(MailNews Core :: Security: OpenPGP, defect)

Description

[Wayne Mery (:wsmwk)]

It was observed that the password strength evaluation function included in the Thunderbird OpenPGP module is highly insufficient.

Affected File:
comm/mail/extensions/openpgp/content/modules/passwordCheck.jsm

Affected Code:
The entire file constitutes the affected code. The password strength algorithm suffers from the following issues:

• Small “banlist”: A list of roughly 500 banned password items is provided in the COMPLEXIFY_BANLIST variable, which largely has negligible impact on the security of the password evaluation process.
• Insufficient logic: A password evaluation logic based on minimum characters and the “banlist” above is employed. However, this logic meant that the passwords “password123” and “harrypotter” (among others) were deemed secure, despite being some of the most used passwords in the world.

This functionality does not appear to currently be called from anywhere within the extension, therefore there is no practical security impact. Nevertheless, it is still recommended to either address the password strength algorithm’s weaknesses or to remove the code entirely in order to prevent potential future misuse.

Comment 1

[Magnus Melin [:mkmelin]]

Attachment: bug1671759_audit_pwdcheck.patch

Actually, this is not used at all in Thunderbird so the whole file can go.

Comment 2

[Magnus Melin [:mkmelin]]

No need to uplift.