Re: Master Password (was Re: What platform features can we kill?)
On 10 October 2013 10:22:13, Michael Lefevre wrote: I wouldn't disagree with any of the other reasons, but could you clarify what you mean when you say the cryptography is useless? FireMaster seems to just brute force passwords. Are you just saying that any cryptography that relies on a password is useless, or that something is more broken than that? Things like https://bugzilla.mozilla.org/show_bug.cgi?id=524403 mean that brute force attacks take much less time than they ought (compared to if we were we using a higher iteration count). On 09/10/2013 22:35, Botond Ballo wrote: I use master password. Is there something I can use instead that's more secure? I'd take a look at something like one of these: https://lastpass.com/ http://keepass.info/ https://agilebits.com/onepassword Best wishes, Ed ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Re: Master Password (was Re: What platform features can we kill?)
On 10/10/2013 11:22, Michael Lefevre wrote: Master password. The UI is prone to phishing, it causes all sorts of problems because of how we use the log in to the NSS database to implement it, it causes annoying UX for the people that use it, the cryptography used is useless (bing FireMaster), there's hardly any resources to do anything to actually fix any of these problems other than remove it, and it slows down progress on important security features. I wouldn't disagree with any of the other reasons, but could you clarify what you mean when you say the cryptography is useless? FireMaster seems to just brute force passwords. Are you just saying that any cryptography that relies on a password is useless, or that something is more broken than that? There's been a fairly long discussion regarding the use of the master password in bug 309807 [Integrate Password Manager with Gnome Keyring Manager]. That didn't really reach a conclusion except for the fact that the current password manager could probably use some improvements in general; somebody even suggested to replace it entirely with the system key-ring where available. From my POV I'd like to see the master-password go because it's clunky and doesn't really offer much protection but I'd also like to see something more secure and more modern take its place. Secure and easily accessible password storage is a sorely missing feature IMHO. Gabriele ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform
Master Password (was Re: What platform features can we kill?)
On 09/10/2013 22:00, Brian Smith wrote: On Wed, Oct 9, 2013 at 9:01 AM, Gervase Markham wrote: Attack surface reduction works: http://blog.gerv.net/2013/10/attack-surface-reduction-works/ In the spirit of learning from this, what's next on the chopping block? Master password. The UI is prone to phishing, it causes all sorts of problems because of how we use the log in to the NSS database to implement it, it causes annoying UX for the people that use it, the cryptography used is useless (bing FireMaster), there's hardly any resources to do anything to actually fix any of these problems other than remove it, and it slows down progress on important security features. I wouldn't disagree with any of the other reasons, but could you clarify what you mean when you say the cryptography is useless? FireMaster seems to just brute force passwords. Are you just saying that any cryptography that relies on a password is useless, or that something is more broken than that? (For what it's worth, things like KeePass and LastPass can use two-factor authentication, and have better UX I think, although the UX is still rather clunky...) Michael ___ dev-platform mailing list dev-platform@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-platform