Lockwise passwords encryption
Mozilla is extremely vague with how passwords are protected, simply stating on their product page that passwords are encrypted while in transit and stored using encryption. Does Mozilla keep the encryption keys and can later access these passwords?? Why so vague?
Chosen solution
Firefox encrypts your data (saved logins and other data) before sending it to the Sync servers. Mozilla does not have a way to decrypt your Sync data.
How Firefox Sync keeps your data safe even if TLS fails
Read this answer in context 👍 0All Replies (4)
nick.b said
Does Mozilla keep the encryption keys and can later access these passwords??
No, they can't.
Chosen Solution
Firefox encrypts your data (saved logins and other data) before sending it to the Sync servers. Mozilla does not have a way to decrypt your Sync data.
jscher2000 said
Firefox encrypts your data (saved logins and other data) before sending it to the Sync servers. Mozilla does not have a way to decrypt your Sync data. How Firefox Sync keeps your data safe even if TLS fails
Thanks for that, Unfortunately PBKDF2 with 1000 iterations is extremely weak! To make matters worse, Mozilla is aware of this (meaning they choose weak encryption). [|See here]
nick.b said
jscher2000 said
Firefox encrypts your data (saved logins and other data) before sending it to the Sync servers. Mozilla does not have a way to decrypt your Sync data. How Firefox Sync keeps your data safe even if TLS failsThanks for that, Unfortunately PBKDF2 with 1000 iterations is extremely weak! To make matters worse, Mozilla is aware of this (meaning they choose weak encryption). [|See here]
So if I understand that bug, if someone is able to intercept your login to the Firefox Account server (i.e., man in the middle), they could obtain your password by brute force. And the reason it wasn't already strengthened against brute force attack may be concerns about unacceptable performance. I'm not sure what is considered the threshold for acceptable performance.