97

murrayy wrote:I dont get it. Whats the problem if my login password is secure enough?

Social Engineering. If you use one and same password for all places, it ain't securing your other accounts where you use it. Because only one of these many places need to be cracked and they gets inside any of other service where you use that one password.

Even that you would have over 128 long password, it would still be a risk if you have it on all places. But that 128 long password is harder to remember than >16 <18 but usually when user needs to use password many times a day (login, websites etc) user selects only one and even that it is build with a-z, A-Z, 0-9 and !-? marks, it ain't secure if it used more than one place.

It's like using same PIN-number for your SIM-card, your VISA-card, your home security system and for something other thing. If someone finds it, they have total access to all those. Wise person use different password for every different places. Even for login and kwallet.

Fri13 wrote:Social Engineering. If you use one and same password for all places, it ain't securing your other accounts where you use it. Because only one of these many places need to be cracked and they gets inside any of other service where you use that one password.

Even that you would have over 128 long password, it would still be a risk if you have it on all places. But that 128 long password is harder to remember than >16 <18 but usually when user needs to use password many times a day (login, websites etc) user selects only one and even that it is build with a-z, A-Z, 0-9 and !-? marks, it ain't secure if it used more than one place.

It's like using same PIN-number for your SIM-card, your VISA-card, your home security system and for something other thing. If someone finds it, they have total access to all those. Wise person use different password for every different places. Even for login and kwallet.

Yes, very good points. Single-sign-on is less secure than multiple-sign-on. I don't think anybody would disagree with that.

Also, Using the same password for all accounts is less secure than using different passwords for each account.

Also, Leaving your box with a telnet deamon running with root access is less secure than....

If I want to use such features, (features which make my life easier). If I understand the security risks involved, and I am happy that I will not be letting my secrets into the wrong hands. Why should I not be allowed to let my login credentials open my default kwallet?

If the same stance had been taken when the devs were writing KDM there would never have been the "auto-login" feature.

Of course it goes without saying that this feature should be optional, and disabled by default.

This is actually an issue I have with the Twitter plasmoid:
When I log on, I've got the wallet password dialogue given to me. OK, so I enter my wallet password. Then I get another, because it's set to auto-close when the last application stops using it. Uuh! Fine. However, now, if I set my wallet to close every 5 minutes, then I get a dialogue every 5 minutes to open it. GAH!
I'd honestly prefer if this plasmoid just stored the wallet password (or better, the twitter password) in /tmp and be done with it! At least I can be safe more discretely.

GilesBathgate wrote:Yes, very good points. Single-sign-on is less secure than multiple-sign-on. I don't think anybody would disagree with that.

Also, Using the same password for all accounts is less secure than using different passwords for each account.

Also, Leaving your box with a telnet deamon running with root access is less secure than....

If I want to use such features, (features which make my life easier). If I understand the security risks involved, and I am happy that I will not be letting my secrets into the wrong hands. Why should I not be allowed to let my login credentials open my default kwallet?

If the same stance had been taken when the devs were writing KDM there would never have been the "auto-login" feature.

Of course it goes without saying that this feature should be optional, and disabled by default.

Thats what I was talking about!

I agree with this feature. The scenario I am thinking of is the following: I login and am immediately asked for the kwallet password (for networkmanager to connect to wifi). Since I have just typed my login password, I see this as unnecessary. However, there is a need for a kwallet password i) to encrypt the wallet and ii) to not allow anyone using my pc to e.g. impersonate me with kopete. If I allow somebody else to use my pc for a short time, I expect the applications linked to kwallet to not be accessible if the wallet is closed. So I am not aiming for total security, but for 'social engineering' level security if you like

vespas

I also agree.
Even if single-sign on or Kwallet opening automatically is less secure than having a different Kwallet password, it is more secure than having no Kwallet password (because then the files aren\'t encrypted). But, having no password is exactly what many people (also stated here) do in order to have Kwallet auto-open.
Thus, a (by default disabled) "auto-open" option would increase security.

It might be worthwhile having the ability to set different policies for different applications. For instance if I use the gmail-notifier plasmoid I have to open my wallet immediately on sign-on anyway because it uses kwallet to store the password. However, if it then tries to open gmail it should ask for the password. Similarly, akonadi could be running in the background without asking for a password, but if you actually want to see something from akonadi then you need to provide a password. I would also like smb4k to automatically open my wallet so it can load my samba shares when I login. I don\'t want all my passwords to be open immediately upon login, but allowing some to be would be useful.

Anything happening here?

When I log in to my netbook, it tries to automatically connect to the access point.

Then it asks to open the wallet for which it needs my password. Which is the same as my login password. And then it waits....

Come on! I want to *automatically* login. An no, I don't want to leave the password of the access point unencrypted in my users folder.

ferry wrote:Come on! I want to *automatically* login. An no, I don't want to leave the password of the access point unencrypted in my users folder.

Exactly! KDE wallet asking for the same password right after login is the single most annoying thing about KDE. I just cannot understand why there's no _option_ for the KDE wallet to behave like Gnome keyring when the user wants to use the login password with the default wallet.

balevas wrote:

ferry wrote:Come on! I want to *automatically* login. An no, I don't want to leave the password of the access point unencrypted in my users folder.

Exactly! KDE wallet asking for the same password right after login is the single most annoying thing about KDE. I just cannot understand why there's no _option_ for the KDE wallet to behave like Gnome keyring when the user wants to use the login password with the default wallet.

I use full-disk encryption with a very strong pass phrase. I can't remember if I encrypted ~/ during setup but my login password is decent. I'd rather just have a keyring that stores passwords/phrases to automatically login to Kopete, decrypt an external drive, etc. Ideally the keyring should protect passwords from unauthorized access (of course).

The current state of affairs is more of a nuisance than anything.

A 3 year old annoying problem which is seriously easy to fix and still no change???

kermit11 wrote:A 3 year old annoying problem which is seriously easy to fix and still no change???

It's simple, just remove the password from the KWallet configuration file you'd want to not want to use a password with and go.

All who interest in this feature - can vote and post in this bug: https://bugs.kde.org/show_bug.cgi?id=92845
Will be good to see this feature in KDE 5.0 release.

you can set kdm to auto-login in kde settings

that way you only have to enter your password once, the wallet

chuckc wrote:you can set kdm to auto-login in kde settings
that way you only have to enter your password once, the wallet

So after this step you got secure kwallet, but lost all security for home folder and all other - very good way!
My system login password are already secured and it is stored in system secured (SHA+salt in shadow file).

So what is the problem to use same password from my login in KDE Wallet?

We can easily get it via PAM module, here is working solution: http://linux.eregion.de/2013/10/26/kwal ... n-at-last/

If user wants, it can enable this module, if not - disable, what is the problem?

Why you want to force all users to enter password twice on each login? After this many users use KWallet without password (for do not enter password twice) and save password unsecured, you think that this is better?