02-14-2024 12:13 AM
I encountered this post about my area of interest: https://connect.mozilla.org/t5/discussions/what-s-the-latest-information-about-firefox-sync-password...
They write:
"Due to the recent LastPass breach I was having a conversation about how to store passwords.
Both LastPass and Firefox (Sync) seems to do a similar thing, but I actually don't know what's the last state of things in Firefox. The only article I found is this one that is over 4 years old.
I am not by far a security expect but something that stood out was the use of PBKDF2 which is apparently the security concerns in the breach (leak was of encrypted passwords). LastPass says "LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. "
Apparently the OWASP recommendation is to have even more iterations . And yet in the Firefox post mentioned above it says that " We [Firefox] use 1000 rounds of PBKDF2" So something seems off.
It would be great to have a more detailed description of the current implementation that Firefox uses. Maybe a comparison what what other password providers use.
Thanks!"
It received no replies. Can anyone informed tell anyone reading this comment on how many KDF iterations Firefox currently is using?
On a related point, I encountered this regarding persistent weaknesses in the security of the Primary Pass. Has this been rectified? If so, how exactly?
The Primary Pass vulnerability is less concerning to me than is how the password vault is secured remotely since it is within my power to ensure my computers are properly secured in the physical. However, both are quite of interest to me.
Currently I use Bitwarden AND Firefox Sync for password management. If the Firefox password vault is relatively poorly secured, it will increase my security using only Bitwarden.
Otherwise I've been really happy with Firefox Sync over the years, including its encrypted password storage.