https://connect.mozilla.org/t5/discussions/what-s-the-latest-information-about-firefox-sync-password/m-p/21511#M9030 <P>Hello</P><P>Due to the <A href="https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/" target="_self">recent LastPass breach</A> I was having a conversation about how to store passwords.</P><P>Both LastPass and Firefox (Sync) seems to do a similar thing, but I actually don't know what's the last state of things in Firefox. The only article I found is <A href="https://hacks.mozilla.org/2018/11/firefox-sync-privacy/" target="_self">this one</A>&nbsp; that is over 4 years old.</P><P>I am not by far a security expect but something that stood out was the use of PBKDF2 which is apparently the security concerns in the breach (leak was of encrypted passwords). LastPass says "LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. "</P><P>Apparently the <A href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2" target="_self">OWASP recommendation is to have even more iterations</A> . And yet in the Firefox post mentioned above it says that "&nbsp;We [Firefox] use 1000 rounds of PBKDF2" So something seems off.</P><P>It would be great to have a more detailed description of the current implementation that Firefox uses. Maybe a comparison what what other password providers use.</P><P>Thanks!</P> Fri, 23 Dec 2022 12:02:08 GMT alexj 2022-12-23T12:02:08Z https://connect.mozilla.org/t5/discussions/what-s-the-latest-information-about-firefox-sync-password/m-p/21511#M9030 <P>Hello</P><P>Due to the <A href="https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/" target="_self">recent LastPass breach</A> I was having a conversation about how to store passwords.</P><P>Both LastPass and Firefox (Sync) seems to do a similar thing, but I actually don't know what's the last state of things in Firefox. The only article I found is <A href="https://hacks.mozilla.org/2018/11/firefox-sync-privacy/" target="_self">this one</A>&nbsp; that is over 4 years old.</P><P>I am not by far a security expect but something that stood out was the use of PBKDF2 which is apparently the security concerns in the breach (leak was of encrypted passwords). LastPass says "LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. "</P><P>Apparently the <A href="https://cheatsheetseries.owasp.org/cheatsheets/Password_Storage_Cheat_Sheet.html#pbkdf2" target="_self">OWASP recommendation is to have even more iterations</A> . And yet in the Firefox post mentioned above it says that "&nbsp;We [Firefox] use 1000 rounds of PBKDF2" So something seems off.</P><P>It would be great to have a more detailed description of the current implementation that Firefox uses. Maybe a comparison what what other password providers use.</P><P>Thanks!</P> Fri, 23 Dec 2022 12:02:08 GMT https://connect.mozilla.org/t5/discussions/what-s-the-latest-information-about-firefox-sync-password/m-p/21511#M9030 alexj 2022-12-23T12:02:08Z