Andy McKay

Jun 12, 2012

Developer services at Mozilla

Recently there's been more password hashes disclosed from various sites: LinkedIn,, eHarmony. Sadly LinkedIn had passwords that were badly secured on the server.

At Mozilla we've been trying to help on this issue with Persona. This is an identity system for any developer to use on their website. It's designed with privacy, security with a focus on being distributed.

The good thing here is that we can free developers from having to worry about password security. No need to worry about which hashing, salting, crypting, bacon adding method to use, we'll worry about that (it is bcrypt in Persona). The app or site developer can get on with making their site better, knowing their user data is secure. This is helping make the web a better place for users. And that's what we do at Mozilla.

Sadly there's a downside to this and that is that Mozilla is now a juicier target for people wanting to steal users emails and passwords. Fortunately we've got a pretty good development, services, operations and security team looking after all this. And it's all open source. Don't believe me? Take a look at our code or how about the security review? It's developed in the open, with security in mind. Of course, this doesn't mean that one day a security breach won't happen, no-one is invulnerable and assuming it won't happen is the worst thing you can do. If that's the case we can be pretty sure our passwords are pretty hard to crack.

This is and other things in the pipeline are new territories for Mozilla, but things that we have to explore. If we do it well we can provide centralized services that provide privacy and security, whilst providing open solutions others can use and replicate. Especially in areas that are not core to developers main goals of making apps. Areas that are becoming more and more part of the platform every web app developer uses on a day to day basis.

And this is isn't easy, doing these services well is hard. But if Mozilla can strike the appropriate balances and provide distributed open systems, we've got a real chance to make the web more secure and that's better for everyone.