Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Is it really so easy to break the Primary Password?

  • 5 uphendule
  • 1 inale nkinga
  • 24 views
  • Igcine ukuphendulwa ngu Dor

more options

When being prompt for the primary password, I noticed that I can rapidly and endlessly type random combinations and press enter. There seems to never be any delay between wrong entering of passwords. So it seems that even the most primitive application that would try all possible combinations rapidly, will break the password in few hours for the most. This does not even require any knowledge in hacking. Is this correct or am I missing something? If that is the case, then primary password is only worth when keeping the computer unattended for no more than few minutes.

All Replies (5)

more options

If you use a PP that can be cracked by a dictionary lookup including some known replacements for characters or some other list of common known passwords then that is at your risk. If you use a random password of sufficient length and strength (uppercase, lowercase, numbers, symbols, other Unicode characters) as shown in the change PP dialog then you should be safe enough. Note that you wouldn't have to use the Password Manager, but you merely need access to logins.json and key4.db to be able to crack the PP.

Note that is you would use OS authentication (Windows Hello or biometrics) that the logins aren't encrypted at all in logins.json like is done with the Primary Password.

Helpful?

more options

Thanks. I am sorry but my question was about cracking the password easily without any required knowledge, not the password file. Sequential pass on all the reasonable keys in combinations up to a reasonable length would take AFAIU very short time, without any need to limit the search to dictionary words.

Regarding encryption of logins, I have looked at the file with and without primary password. The file looked the same and passwords were encrypted.

Okulungisiwe ngu Dor

Helpful?

more options

Without PP the passwords are still encrypted with a basic salt that is stored in key4.db. The PP adds an extra encryption layer and Firefox 73+ use stronger encryption (more iterations).

Helpful?

more options

Do you want to file a bug suggesting a delay be added after some number of wrong guesses?

https://bugzilla.mozilla.org/

Helpful?

more options

Unfortunately, using a very simple program that I wrote I have proven that this is a serious problem and submitted a bug report.

Helpful?

Buza umbuzo

Kufanele ulogele ukungena ku-akhawunti yakho ukuze uphendule amaphosti. Uyacelwauqale umbuzo omusha, uma ungekabi nayo i-akhawunti namanje.