Is it really so easy to break the Primary Password?
When being prompt for the primary password, I noticed that I can rapidly and endlessly type random combinations and press enter. There seems to never be any delay between wrong entering of passwords. So it seems that even the most primitive application that would try all possible combinations rapidly, will break the password in few hours for the most. This does not even require any knowledge in hacking. Is this correct or am I missing something? If that is the case, then primary password is only worth when keeping the computer unattended for no more than few minutes.
All Replies (5)
If you use a PP that can be cracked by a dictionary lookup including some known replacements for characters or some other list of common known passwords then that is at your risk. If you use a random password of sufficient length and strength (uppercase, lowercase, numbers, symbols, other Unicode characters) as shown in the change PP dialog then you should be safe enough. Note that you wouldn't have to use the Password Manager, but you merely need access to logins.json and key4.db to be able to crack the PP.
Note that is you would use OS authentication (Windows Hello or biometrics) that the logins aren't encrypted at all in logins.json like is done with the Primary Password.
Thanks. I am sorry but my question was about cracking the password easily without any required knowledge, not the password file. Sequential pass on all the reasonable keys in combinations up to a reasonable length would take AFAIU very short time, without any need to limit the search to dictionary words.
Regarding encryption of logins, I have looked at the file with and without primary password. The file looked the same and passwords were encrypted.
Modified by Dor
Without PP the passwords are still encrypted with a basic salt that is stored in key4.db. The PP adds an extra encryption layer and Firefox 73+ use stronger encryption (more iterations).
Do you want to file a bug suggesting a delay be added after some number of wrong guesses?
Unfortunately, using a very simple program that I wrote I have proven that this is a serious problem and submitted a bug report.