Hello
Due to the recent LastPass breach I was having a conversation about how to store passwords.
Both LastPass and Firefox (Sync) seems to do a similar thing, but I actually don't know what's the last state of things in Firefox. The only article I found is this one that is over 4 years old.
I am not by far a security expect but something that stood out was the use of PBKDF2 which is apparently the security concerns in the breach (leak was of encrypted passwords). LastPass says "LastPass utilizes a stronger-than-typical implementation of 100,100 iterations of the Password-Based Key Derivation Function (PBKDF2), a password-strengthening algorithm that makes it difficult to guess your master password. "
Apparently the OWASP recommendation is to have even more iterations . And yet in the Firefox post mentioned above it says that " We [Firefox] use 1000 rounds of PBKDF2" So something seems off.
It would be great to have a more detailed description of the current implementation that Firefox uses. Maybe a comparison what what other password providers use.
Thanks!
