Then you add some some salt to the resulting hash and make a hash of that, and so on and so on until you hit a target number of salt+hash iterations (for an in-depth look at this read our article on how to store your users’ passwords safely).Īny attacker wanting to crack your password hash will have to perform exactly the same number of iterations, with the same salt, to find a match.Ĭhoosing an iteration count is a matter of balancing the inconvenience you’re prepared to inflict on users when they log in against the amount of obstruction you want to put in a password cracker’s way. So, having generated a hash, you add a salt to it and make another hash. The standard technique to increase the time it would take an attacker to brute-force a password hash is by re-applying (or iterating) it. It sounds like an impossible task, but GPUs can churn through billions of these per second. This is called brute forcing, where the attacker uses a commodity graphics card to calculate huge numbers of possible hashes until a match with the target hash generated by SHA-1 is found. The first problem is that using the aging SHA-1 is considered weak because, as Palant says, “GPUs are extremely good at calculating SHA-1 hashes.” Thereafter, when the user enters the master password, the software simply compares a hash of the password you enter with your master password’s hash – if the two match, the user has entered the correct password. In Firefox’s case, this turns the master password into a hash value by adding a random string to the password (a ‘salt’) and applying the SHA-1 algorithm. Which is why Mozilla offers users the option to protect passwords behind a master password set through Tools > Privacy & Security > Use a master password. It is common knowledge that storing passwords there without defining a master password is equivalent to storing them in plain text. This design is secure from only the most casual attacks, as Palant notes: The problem is the key to unlock the logins.json file used to store these passwords can be found in a file called ke圓.db. Developer Wladimir Palant (of Adblock Plus fame) has uncovered a big security weakness in the way Firefox secures browser passwords behind a master password.įirefox users who save browser passwords without a master key are, in theory, protected from attackers with access to their computer by encryption.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |