Reply to topic

How to confirm that Chromium is storing passwords securely?

mackler
Registered Member
Posts
7
Karma
0
I am using KDE 4.14.2, Chromium browser 47.0.2526.80, Wallet Manager 2.0, Debian 8.2, Linux 3.16.7.

I have just created a new KDE wallet and I want to be sure that when I allow Chromium to save a website password, it is not writing that password unencrypted to my hard drive, but rather is using KDE Wallet to protect my saved passwords from unauthorized access.

I can make some educated guesses, but I want to be certain rather than guessing. Thanks very much.
anonymousleopard
Karma
0
If you run man chromium you will see:

Code: Select all
--password-store=<basic|gnome|kwallet>
              Set the password store to use.  The default is to automatically detect based on the desktop environment.  basic selects the built in, unencrypted password store.  gnome selects Gnome keyring.  kwallet selects (KDE) KWallet.  (Note that KWallet may not work reliably outside KDE.)

So if you run chromium with option --password-store=kwallet it should work explicitly the way you want.
mackler
Registered Member
Posts
7
Karma
0
it should work


Thank you for your reply. The information you provided is useful, interesting and correct.

However, it fails to answer to my question. I already know what should be happening. What I want to discover is what actually is happening.

The fact that I invoke chromium in a way that seems correct is not confirmation that KDE Wallet is actually working to protect my passwords as expected.

My question is how to confirm that chromium is actually doing what it should.
User avatar google01103
Manager
Posts
6668
Karma
25
if you disable the kwallet and then invoke Chromium ................
    Start System setings.
    Open Account Details.
    Go to the "KDE Wallet" tab.
    Uncheck Enable the KDE Wallet subsystem.
    Click Apply to apply the changes and close the settings window.
10.10 - How to disable KDE Wallet? - Ask Ubuntu
askubuntu.com/questions/47216/how-to-disable-kde-walletAsk Ubuntu


OpenSuse Leap 42.1 x64, Plasma 5.x

anonymousleopard
Karma
0
mackler wrote:However, it fails to answer to my question. I already know what should be happening. What I want to discover is what actually is happening.


Well, it is happening for me when I do it. So if your chromium build is not modified greatly, it makes sense to work for you too. FYI I am using openSUSE Leap 42.1 with Plasma 5. Actually the default behavior is that chromium will ask you to use the wallet.

And to check that your data is stored in the wallet - run KWalletManager, open your wallet with your master password and you will see a folder with the Chromium data.
mackler
Registered Member
Posts
7
Karma
0
heyjoe wrote:
Actually the default behavior is that chromium will ask you to use the wallet.

Yes, I see that is what the man page says, so the --password-store=kwallet should be unnecessary.
heyjoe wrote:
And to check that your data is stored in the wallet - run KWalletManager, open your wallet with your master password and you will see a folder with the Chromium data.

Okay, that's a step in the right direction. There is a folder called "Chrome Form Data", with two numbers in parentheses and a sub-folder (or sub-item) named "Passwords". This seems promising and perhaps if I knew more I could interpret the meaning, but after looking at this I am still concerned that chromium may be writing my passwords in the clear somewhere on my hard drive.
google01103 wrote:
if you disable the kwallet and then invoke Chromium ................

I'm afraid I am ignorant of what "................" means in this context.

Does it mean
    ...then chromium will fail to start?
    ...then chromium will start but display an error dialog?
    ...then chromium will start but print an error on in a terminal window?
    ...then chromium will start but do something in particular if you try to use a stored password?
    or something else?

I appreciate you all taking the time to answer my question, but even if I could apply these answers, it seems the resulting evidence would be circumstantial. What I am looking for is near certainty chromium is not storing my passwords in the clear. I am emphasizing the word "not" because merely seeing that kwallet is being used is something different, since chromium could be storing passwords in more than one place.

If I knew where chromium stores clear-text passwords, then I could look there to confirm the absence of passwords. That would be one way to do it, but I am hoping there is some more reliable, KDE-native way. Seeing that kwallet is turned on and chromium is using it is useful, but to repeat myself, knowing that is not addressing my concern that notwithstanding kwallet being enabled chromium is nonetheless storing unencrypted passwords on my hard drive. Perhaps I ought to be asking this question in a chromium-specific forum.
User avatar google01103
Manager
Posts
6668
Karma
25
mackler wrote:<snip> Perhaps I ought to be asking this question in a chromium-specific forum.


since your concern is how Chromium handles passwords then yes a Chromium specific forum would be more appropriate


OpenSuse Leap 42.1 x64, Plasma 5.x

anonymousleopard
Karma
0
I am not a chromium developer but I suppose that following common logic: if you explicitly tell it to use KWallet - then it will use KWallet for credential storage and not store them any other way. Otherwise the instructions on the man page would be irrelevant.

Chromium stores login credentials in ~/.config/chromium/Default/Login Data

Maybe you can try deleting or moving this file after switching to KWallet and see if it gets recreated and if you can see any clear text passwords in it if it does.
mackler
Registered Member
Posts
7
Karma
0
heyjoe wrote:
Chromium stores login credentials in ~/.config/chromium/Default/Login Data

Maybe you can try deleting or moving this file after switching to KWallet and see if it gets recreated and if you can see any clear text passwords in it if it does.


Okay, that's definitely very useful information to learn about that file.

Unfortunately, that file is binary, so it's hard to see what's in it. I moved it, restarted chromium, and in the settings chromium still knew about my passwords. But chromium also recreated that file and the new version is identical to the one I moved. So unless chromium copied the encrypted passwords from the wallet into the newly created clear-text "Login Data" file (which seems much less likely than the bigger risk of chromium leaving already-stored clear-text passwords in that file even after kwalled is enabled), then the passwords were absent from the copy I moved. Thus it seems highly probably that kwallet--and only kwallet--is being used as intended to store chromium passwords.

Of course, this is all assuming that you are correct that without kwallet, the "Login Data" file is where chromium stores clear-text passwords. I am ignorant about that, and so I am trusting that your belief about that is true.

Unless anyone has a more certain technique I am going to accept that as the best solution. Thanks again!
anonymousleopard
Karma
0
mackler wrote:Unfortunately, that file is binary, so it's hard to see what's in it.


It is SQLite. But I can actually see my passwords in plaintext if I run cat "Login Data".
mackler
Registered Member
Posts
7
Karma
0
heyjoe wrote:
It is SQLite.


Ah, so it is. Opening it with sqlite3 I see a table named logins with zero rows. Again, assuming you are correct that this is chromium's unencrypted password store (and I have no reason to doubt you) then this does indeed answer my question.

Thanks again!!
anonymousleopard
Karma
0
mackler wrote:
heyjoe wrote:
It is SQLite.


Ah, so it is. Opening it with sqlite3 I see a table named logins with zero rows. Again, assuming you are correct that this is chromium's unencrypted password store (and I have no reason to doubt you) then this does indeed answer my question.

Thanks again!!


YW.
Just to confirm for myself: What did you find? When KWallet is used, there are no credentials in the SQLite file, just the DB file with zero rows right?
mackler
Registered Member
Posts
7
Karma
0
heyjoe wrote:
Just to confirm for myself: What did you find? When KWallet is used, there are no credentials in the SQLite file, just the DB file with zero rows right?


I did the following:

With chromium running normally, ie, using kwallet, I went to "Settings" -> "Manage Passwords" to get the list of saved passwords. I chose one, made it visible and made a note of it.

Then I connected to that website, went to the login page and confirmed I could log in both by typing the password I had seen as well as by letting chromium fill in the password field.

Then I went back to the manage passwords window and deleted that password from the list. I logged out of the website and went to the login page and confirmed the chromium left the username/password fields blank.

Then I exited chromium.

Then I went to KDE "System Settings" -> "Account Details" -> "KDE Wallet"
and I un-checked "Enable the KDE wallet subsystem" and clicked the "Apply" button.

Then I started chromium with the command:
Code: Select all
chromium --password-store=basic

Then I went back to the website, logged in by typing my password, and when chromium asked if I wanted to save it, I confirmed yes.

Then I exited chromium.

Then I opened the "Login Data" file with sqlite3. There are three tables in the database: logins, meta, and stats. The stats table is empty. The meta table contains two key-value pairs for version and last_compatible_version respectively.

The logins table has one row with the login information for the site in question, including the URL, username and clear-text password.

Then I quit sqlite3 and back in "System Settings" I re-enabled the KDE wallet subsystem.

Then I started chromium with no command-line options.

I went back to the website, logged out, went to the login page, and chromium filled in the username & password form fields.

Then I exited chromium and re-opened the "Login Data" database, looked at the logins table, which now had zero rows; the clear-text password and all other information associated with that website was absent.

I then quit sqlite3 and started chromium with
Code: Select all
chromium --password-store=kwallet

and I went to the chromium settings and looked at the stored passwords. The password in question is listed and I can see it by clicking the adjacent "Show" button.

Conclusion

It seems very much that when chromium is started to use kwallet, it deletes clear-text passwords out of the "Login Data" file and stores them, presumably, in the KDE wallet. The only way I could be more certain would be to read the chromium source code, or have someone familiar with it tell me about it, which, as has already been observed, is unlikely to happen in this thread.

The main danger I see right now is if I start chromium while the KDE wallet subsystem is unknowingly disabled and I save a password thinking it is being encrypted but it isn't. But at least I can minimize that risk by putting the --password-store=kwallet into the settings of the desktop icon that I use to start chromium.

Thanks again!
anonymousleopard
Karma
0
Thanks for explaining.

mackler wrote:The only way I could be more certain would be to read the chromium source code, or have someone familiar with it tell me about it, which, as has already been observed, is unlikely to happen in this thread.


Please write back here if you find info anywhere else.

The main danger I see right now is if I start chromium while the KDE wallet subsystem is unknowingly disabled and I save a password thinking it is being encrypted but it isn't. But at least I can minimize that risk by putting the --password-store=kwallet into the settings of the desktop icon that I use to start chromium.


You can also set it as a default option in /usr/lib64/chromium/chromium-generic script. The default here is --password-store=detect (which always detects KWallet unless Chromium is explicitly disabled in ~/.config/kwalletrc).

Speaking of danger - I don't think this is the main danger. Actually it is not a problem at all unless you have local spyware.

I rather see as a potential security issue the fact that chromium and other apps use the same wallet. Considering that chromium gets access to all other passwords (e.g. LAN or other SSH credentials) and that it is an Internet application that can get buggy in any release, that makes the whole use of KWallet somewhat questionable. I have asked about that in another thread and also in openSUSE forums but it seems nobody can give an answer. The possibility of using different wallets seems practically impossible to use. I might actually file a bug report about that.
mackler
Registered Member
Posts
7
Karma
0
heyjoe wrote:...Actually it is not a problem at all unless you have local spyware.


Or your computer gets stolen.

heyjoe wrote:I rather see as a potential security...


Wow, that's some serious food for thought. When KDE told me to use the wallet, I just assumed it would be doing things intelligently, but your explanation is making me rethink that assumption. Thank you for that valuable "heads up."

 
Reply to topic

Bookmarks



Who is online

Registered users: Baidu [Spider], berndmj, Bing [Bot], farid, Google [Bot], robgriff444, valaquarus