Reply to topic

How to confirm that Chromium is storing passwords securely?

anonymousleopard
Karma
0
mackler wrote:Or your computer gets stolen.

Perhaps if that happens your last problem is the wallet. Physical access to the machine opens a lot of doors.

Wow, that's some serious food for thought. When KDE told me to use the wallet, I just assumed it would be doing things intelligently, but your explanation is making me rethink that assumption. Thank you for that valuable "heads up."


I have finally reported that as a bug, as it seems I can't get an answer in no forum and in no doc. Hopefully someone pays attention.
pseco
Registered Member
Posts
5
Karma
0
mackler wrote:
heyjoe wrote:...Actually it is not a problem at all unless you have local spyware.


Or your computer gets stolen.

heyjoe wrote:I rather see as a potential security...


Wow, that's some serious food for thought. When KDE told me to use the wallet, I just assumed it would be doing things intelligently, but your explanation is making me rethink that assumption. Thank you for that valuable "heads up."

No need for kde wallet if you have your entire drive encrypted. Newer live installers already prompt you to encrypt root partition with luks. that way you can have everything in plain text inside, at least for a regular user. On Windows if you are already logged in it doesn't prompt you for any password unless you want to see the logins from the chrome settings.

if you disable kde wallet, chrome will not remember your google user account and you will have to re-login every time you boot the computer. It's too much integrated for now to simply disable kde wallet.
anonymousleopard
Karma
0
2 years later :)
pseco wrote:No need for kde wallet if you have your entire drive encrypted.

Are you saying that booting into the system which uses encrypted drive and logging in it requires additional individual unlocking of each and every file by each and every process separately? That would mean that each time I open some text file in a text editor I will have to enter some credentials in order to be able to work with it. Makes no sense.
betlog
Registered Member
Posts
6
Karma
0
I realise this is old, but it keeps coming up in searches for kdewallet and chrome.
I wanted to check that --password-store=kwallet worked too. So here's some observations that may or may not be useful.

I noticed that kwallet stores a single 'Chrome Safe Storage' passcode. So I have to assume that is the encryption key for data it stores under ~/.config/google-chrome/
..and FYI I'm talking Kubuntu 18.04 now.
I also noticed that opening Chrome>Settings>passwords.. although it may *appear* to be storing them unencrypted...
If you disable Kwallet, all of the entries in Chrome>Settings>passwords vanish. Restartting kwallet and chrome brings them back again.

So the logical assumption is that when kdewallets password is the same as the users login password it is thereby always transparently active.
Chrome stores passwords encrypted in .config...
and kwallet manages the master passcode to that encryption.

So the logical question is how good is chromes crypto?

It also really bothers me that ALL of my passwords aren't stored in kwallet. I mean, a "wallet implies a certain amount of self-containment and thereby portability. If all it's doing is holding a few master passwords for completely separate data that could be erased at any time... well for me it's failing in living up to it's name in that respect. I guess thats why I like keepassX.

 
Reply to topic

Bookmarks



Who is online

Registered users: Baidu [Spider], Bing [Bot], boudewijn, claydoh, Google [Bot], koffeinfriedhof, Majestic-12 [Bot], minnew, phoyd, Sogou [Bot], Stephen Leibowitz, sumittt