This is mostly background information, it doesn't answer your question completely: When you save a login in Firefox, it is stored in a file in your profile folder named logins.json. If you open that file in a text editor, you will see that the contents of the username and password fields are encrypted. The encryption key is stored in the key4.db file ''in the same folder''. If an attacker obtains both files, then the logins can be decrypted either by another installation of Firefox or by various readily available tools. To protect the logins against this kind of attack, the user needs to discover the option to create a Primary Password. See: [[Use a Primary Password to protect stored logins and passwords]]. Assuming the attacker does not know the primary password, they would need to use brute force to decrypt the passwords. Now we come to your question of the algorithm because it obviously makes a big difference in whether a brute force attack -- if the attacker doesn't have the associated key4.db file or doesn't know the Primary Password -- could succeed in a reasonable amount of time. [cipher + hashing methods TBD] You might also wonder about Firefox Sync. Firefox Sync uses the Firefox Account password to pre-encrypt logins before uploading them to the Sync cloud. This has been heavily tested and widely discussed, so it probably will be easier to find information about this aspect than the local file aspect. See: [[How Firefox Sync keeps your data safe even if TLS fails]].

I don't know whether either of these lists would be relevant, but perhaps you'll get more authoritative responses there: https://groups.google.com/a/mozilla.org/g/dev-security-policy https://groups.google.com/a/mozilla.org/g/dev-tech-crypto