How to confirm that Chromium is storing passwords securely?
Tags:
None
Registered Member 
|
I am using KDE 4.14.2, Chromium browser 47.0.2526.80, Wallet Manager 2.0, Debian 8.2, Linux 3.16.7.
I have just created a new KDE wallet and I want to be sure that when I allow Chromium to save a website password, it is not writing that password unencrypted to my hard drive, but rather is using KDE Wallet to protect my saved passwords from unauthorized access. I can make some educated guesses, but I want to be certain rather than guessing. Thanks very much. |
|
If you run man chromium you will see:
So if you run chromium with option --password-store=kwallet it should work explicitly the way you want. |
|
Registered Member
|
Thank you for your reply. The information you provided is useful, interesting and correct. However, it fails to answer to my question. I already know what should be happening. What I want to discover is what actually is happening. The fact that I invoke chromium in a way that seems correct is not confirmation that KDE Wallet is actually working to protect my passwords as expected. My question is how to confirm that chromium is actually doing what it should. |
Manager
|
if you disable the kwallet and then invoke Chromium ................
OpenSuse Leap 42.1 x64, Plasma 5.x
|
|
Well, it is happening for me when I do it. So if your chromium build is not modified greatly, it makes sense to work for you too. FYI I am using openSUSE Leap 42.1 with Plasma 5. Actually the default behavior is that chromium will ask you to use the wallet. And to check that your data is stored in the wallet - run KWalletManager, open your wallet with your master password and you will see a folder with the Chromium data. |
|
Registered Member
|
Yes, I see that is what the man page says, so the --password-store=kwallet should be unnecessary.
Okay, that's a step in the right direction. There is a folder called "Chrome Form Data", with two numbers in parentheses and a sub-folder (or sub-item) named "Passwords". This seems promising and perhaps if I knew more I could interpret the meaning, but after looking at this I am still concerned that chromium may be writing my passwords in the clear somewhere on my hard drive.
I'm afraid I am ignorant of what "................" means in this context. Does it mean
...then chromium will start but display an error dialog? ...then chromium will start but print an error on in a terminal window? ...then chromium will start but do something in particular if you try to use a stored password? or something else? I appreciate you all taking the time to answer my question, but even if I could apply these answers, it seems the resulting evidence would be circumstantial. What I am looking for is near certainty chromium is not storing my passwords in the clear. I am emphasizing the word "not" because merely seeing that kwallet is being used is something different, since chromium could be storing passwords in more than one place. If I knew where chromium stores clear-text passwords, then I could look there to confirm the absence of passwords. That would be one way to do it, but I am hoping there is some more reliable, KDE-native way. Seeing that kwallet is turned on and chromium is using it is useful, but to repeat myself, knowing that is not addressing my concern that notwithstanding kwallet being enabled chromium is nonetheless storing unencrypted passwords on my hard drive. Perhaps I ought to be asking this question in a chromium-specific forum. |
|
Manager
|
since your concern is how Chromium handles passwords then yes a Chromium specific forum would be more appropriate
OpenSuse Leap 42.1 x64, Plasma 5.x
|
|
I am not a chromium developer but I suppose that following common logic: if you explicitly tell it to use KWallet - then it will use KWallet for credential storage and not store them any other way. Otherwise the instructions on the man page would be irrelevant.
Chromium stores login credentials in ~/.config/chromium/Default/Login Data Maybe you can try deleting or moving this file after switching to KWallet and see if it gets recreated and if you can see any clear text passwords in it if it does. |
|
Registered Member
|
Okay, that's definitely very useful information to learn about that file. Unfortunately, that file is binary, so it's hard to see what's in it. I moved it, restarted chromium, and in the settings chromium still knew about my passwords. But chromium also recreated that file and the new version is identical to the one I moved. So unless chromium copied the encrypted passwords from the wallet into the newly created clear-text "Login Data" file (which seems much less likely than the bigger risk of chromium leaving already-stored clear-text passwords in that file even after kwalled is enabled), then the passwords were absent from the copy I moved. Thus it seems highly probably that kwallet--and only kwallet--is being used as intended to store chromium passwords. Of course, this is all assuming that you are correct that without kwallet, the "Login Data" file is where chromium stores clear-text passwords. I am ignorant about that, and so I am trusting that your belief about that is true. Unless anyone has a more certain technique I am going to accept that as the best solution. Thanks again! |
|
It is SQLite. But I can actually see my passwords in plaintext if I run cat "Login Data". |
|
Registered Member
|
Ah, so it is. Opening it with sqlite3 I see a table named logins with zero rows. Again, assuming you are correct that this is chromium's unencrypted password store (and I have no reason to doubt you) then this does indeed answer my question. Thanks again!! |
|
YW. Just to confirm for myself: What did you find? When KWallet is used, there are no credentials in the SQLite file, just the DB file with zero rows right? |
|
Registered Member
|
I did the following: With chromium running normally, ie, using kwallet, I went to "Settings" -> "Manage Passwords" to get the list of saved passwords. I chose one, made it visible and made a note of it. Then I connected to that website, went to the login page and confirmed I could log in both by typing the password I had seen as well as by letting chromium fill in the password field. Then I went back to the manage passwords window and deleted that password from the list. I logged out of the website and went to the login page and confirmed the chromium left the username/password fields blank. Then I exited chromium. Then I went to KDE "System Settings" -> "Account Details" -> "KDE Wallet" and I un-checked "Enable the KDE wallet subsystem" and clicked the "Apply" button. Then I started chromium with the command:
Then I went back to the website, logged in by typing my password, and when chromium asked if I wanted to save it, I confirmed yes. Then I exited chromium. Then I opened the "Login Data" file with sqlite3. There are three tables in the database: logins, meta, and stats. The stats table is empty. The meta table contains two key-value pairs for version and last_compatible_version respectively. The logins table has one row with the login information for the site in question, including the URL, username and clear-text password. Then I quit sqlite3 and back in "System Settings" I re-enabled the KDE wallet subsystem. Then I started chromium with no command-line options. I went back to the website, logged out, went to the login page, and chromium filled in the username & password form fields. Then I exited chromium and re-opened the "Login Data" database, looked at the logins table, which now had zero rows; the clear-text password and all other information associated with that website was absent. I then quit sqlite3 and started chromium with
and I went to the chromium settings and looked at the stored passwords. The password in question is listed and I can see it by clicking the adjacent "Show" button. Conclusion It seems very much that when chromium is started to use kwallet, it deletes clear-text passwords out of the "Login Data" file and stores them, presumably, in the KDE wallet. The only way I could be more certain would be to read the chromium source code, or have someone familiar with it tell me about it, which, as has already been observed, is unlikely to happen in this thread. The main danger I see right now is if I start chromium while the KDE wallet subsystem is unknowingly disabled and I save a password thinking it is being encrypted but it isn't. But at least I can minimize that risk by putting the --password-store=kwallet into the settings of the desktop icon that I use to start chromium. Thanks again! |
|
Thanks for explaining.
Please write back here if you find info anywhere else.
You can also set it as a default option in /usr/lib64/chromium/chromium-generic script. The default here is --password-store=detect (which always detects KWallet unless Chromium is explicitly disabled in ~/.config/kwalletrc). Speaking of danger - I don't think this is the main danger. Actually it is not a problem at all unless you have local spyware. I rather see as a potential security issue the fact that chromium and other apps use the same wallet. Considering that chromium gets access to all other passwords (e.g. LAN or other SSH credentials) and that it is an Internet application that can get buggy in any release, that makes the whole use of KWallet somewhat questionable. I have asked about that in another thread and also in openSUSE forums but it seems nobody can give an answer. The possibility of using different wallets seems practically impossible to use. I might actually file a bug report about that. |
|
Registered Member
|
Or your computer gets stolen.
Wow, that's some serious food for thought. When KDE told me to use the wallet, I just assumed it would be doing things intelligently, but your explanation is making me rethink that assumption. Thank you for that valuable "heads up." |
Bookmarks
Who is online
Registered users: Bing [Bot], Evergrowing, Google [Bot]
