![]() The current scheme has the explained flaw but an advanced design which would in theory enable the developers to add an (optional) second token to derive an encryption key in Firefox which is not linked to the Mozilla login password. It had a very robust encryption but Mozilla developers thought this was too complicated for users to handle and understand two password and changed to the current scheme. The old Firefox sync encryption scheme had separate login and encryption keys, it is still available in some Firefox-based browsers, for instance, PaleMoon. Therefore, WEB LOGIN PASSWORDS SHOULD NEVER BE USED FOR DATA ENCRYPTION. Having the login password for an attacker means that they would have the possibility to both access and decrypt users passwords saved in the sync account. However, being a web-based login, users will be unaware and might enter the password in phishing attacks or it might be exposed via man-in-the-middle or website script-injection attacks. Although it is probably cryptographically safe to generate those tokens from the same information, it depends on the assumptions that the original login password never leaves the users computer. New Edge Go to edge://extensions in your Chromium-based Edge address. Firefox Go to the Menu icon or go to Tools > Add-ons > Extensions > Enable for LastPass. IMO, Mozilla's choice to base both the encryption key derivation and the login token on the user password used to register the Mozilla identity account weakens the whole scheme. Instructions for enabling LastPass will vary depending on your web browser, as follows: Chrome Go to in your Chrome address bar, then toggle on the switch to enable LastPass.
0 Comments
Leave a Reply. |