From 1ef526f0f0ea664518789c5ab73ed9de140714ad Mon Sep 17 00:00:00 2001
From: wolfbeast <mcwerewolf@gmail.com>
Date: Wed, 18 Apr 2018 14:05:21 +0200
Subject: Strengthen the use of the Master Password.

- Use 30k iterations instead of 1.
- Enforce minimum password length of 8 characters.
- Adjust strength meter accordingly.

This resolves #82.
---
 security/nss/lib/softoken/sftkpwd.c                          |  4 ++--
 .../locales/en-US/chrome/mozapps/preferences/changemp.dtd    |  2 +-
 toolkit/mozapps/preferences/changemp.js                      | 12 +++++++++---
 toolkit/mozapps/preferences/changemp.xul                     |  7 ++++---
 4 files changed, 16 insertions(+), 9 deletions(-)

diff --git a/security/nss/lib/softoken/sftkpwd.c b/security/nss/lib/softoken/sftkpwd.c
index e0d2df9ab..07b6922dc 100644
--- a/security/nss/lib/softoken/sftkpwd.c
+++ b/security/nss/lib/softoken/sftkpwd.c
@@ -273,7 +273,7 @@ sftkdb_EncryptAttribute(PLArenaPool *arena, SECItem *passKey,
     RNG_GenerateGlobalRandomBytes(saltData, cipherValue.salt.len);
 
     param = nsspkcs5_NewParam(cipherValue.alg, HASH_AlgSHA1, &cipherValue.salt,
-                              1);
+                              30000);
     if (param == NULL) {
         rv = SECFailure;
         goto loser;
@@ -444,7 +444,7 @@ sftkdb_SignAttribute(PLArenaPool *arena, SECItem *passKey,
     RNG_GenerateGlobalRandomBytes(saltData, prfLength);
 
     /* initialize our pkcs5 parameter */
-    param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 1);
+    param = nsspkcs5_NewParam(signValue.alg, HASH_AlgSHA1, &signValue.salt, 30000);
     if (param == NULL) {
         rv = SECFailure;
         goto loser;
diff --git a/toolkit/locales/en-US/chrome/mozapps/preferences/changemp.dtd b/toolkit/locales/en-US/chrome/mozapps/preferences/changemp.dtd
index 1cc7b9621..1b1d5ac55 100644
--- a/toolkit/locales/en-US/chrome/mozapps/preferences/changemp.dtd
+++ b/toolkit/locales/en-US/chrome/mozapps/preferences/changemp.dtd
@@ -9,5 +9,5 @@
 <!ENTITY setPassword.reenterPassword.label "Re-enter password:">
 <!ENTITY setPassword.meter.label           "Password quality meter">
 <!ENTITY setPassword.meter.loading         "Loading">
-<!ENTITY masterPasswordDescription.label   "A Master Password is used to protect sensitive information like site passwords.  If you create a Master Password you will be asked to enter it once per session when &brandShortName; retrieves saved information protected by the password.">
+<!ENTITY masterPasswordDescription.label   "A Master Password is used to protect sensitive information like site passwords.  If you create a Master Password you will be asked to enter it once per session when &brandShortName; retrieves saved information protected by the password.  A master password must be 8 characters or longer; longer is better.">
 <!ENTITY masterPasswordWarning.label       "Please make sure you remember the Master Password you have set.  If you forget your Master Password, you will be unable to access any of the information protected by it.">
diff --git a/toolkit/mozapps/preferences/changemp.js b/toolkit/mozapps/preferences/changemp.js
index 82dd20128..71664b3e1 100644
--- a/toolkit/mozapps/preferences/changemp.js
+++ b/toolkit/mozapps/preferences/changemp.js
@@ -167,8 +167,8 @@ function setPasswordStrength()
 
 // length of the password
   var pwlength=(pw.length);
-  if (pwlength>5)
-    pwlength=5;
+  if (pwlength>10)
+    pwlength=10;
 
 
 // use of numbers in the password
@@ -190,7 +190,7 @@ function setPasswordStrength()
     upper=3;
 
 
-  var pwstrength=((pwlength*10)-20) + (numeric*10) + (numsymbols*15) + (upper*10);
+  var pwstrength=((pwlength*5)-20) + (numeric*10) + (numsymbols*15) + (upper*10);
 
   // make sure we're give a value between 0 and 100
   if ( pwstrength < 0 ) {
@@ -227,6 +227,12 @@ function checkPasswords()
     }
   }
 
+  // Never accept short passwords < 8 chars
+  if (pw1.length < 8) {
+    ok.setAttribute("disabled", "true");
+    return;
+  }
+  
   if (pw1 == pw2) {
     ok.setAttribute("disabled", "false");
   } else
diff --git a/toolkit/mozapps/preferences/changemp.xul b/toolkit/mozapps/preferences/changemp.xul
index 14d02295e..b316fa42b 100644
--- a/toolkit/mozapps/preferences/changemp.xul
+++ b/toolkit/mozapps/preferences/changemp.xul
@@ -34,7 +34,7 @@
       <rows>
         <row>
           <label control="oldpw">&setPassword.oldPassword.label;</label>
-          <textbox id="oldpw" type="password"/>
+          <textbox id="oldpw" type="password" size="18"/>
           <!-- This textbox is inserted as a workaround to the fact that making the 'type'
                 & 'disabled' property of the 'oldpw' textbox toggle between ['password' &
                 'false'] and ['text' & 'true'] - as would be necessary if the menu has more
@@ -46,12 +46,13 @@
         </row>
         <row>
           <label control="pw1">&setPassword.newPassword.label;</label>
-          <textbox id="pw1" type="password"
+          <textbox id="pw1" type="password" size="18"
                    oninput="setPasswordStrength(); checkPasswords();"/>
         </row>
         <row>
           <label control="pw2">&setPassword.reenterPassword.label;</label>
-          <textbox id="pw2" type="password" oninput="checkPasswords();"/>
+          <textbox id="pw2" type="password" size="18"
+                   oninput="checkPasswords();"/>
         </row>
       </rows>
     </grid>
-- 
cgit v1.2.3