[benatkin]

I believe you're mistaken. They would need your password to boot up the computer or unlock your screen. I think the cookies on Chrome are encrypted using the same mechanism as node-keytar. I didn't say anything about stealing a laptop while it's logged in. I just mean physically stealing the laptop.

You could argue that the number of people who protect their computer by password but don't encrypt their disks is too small or isn't worth worrying about. But I know that there is a significant portion of users that has it set up this way.

[nemothekid]

If your disk is unencrypted, all I need to do is mount your disk on my computer and point my Chrome user disk to /mnt/stolen_drive/home/users/James/chrome_data and I have all your cookies.

I'm not sure about Linux, but on Windows this is trivial. If you are concerned about this attack vector, then encrypt this drive. If you are hit by an RCE, then your Trello keys are the least of your problems.

Physical access is game over.

[benatkin]

You have the encrypted cookies. You can't use the encrypted cookie to login with gmail.

It might only encrypt some of the cookies, but encrypting cookies in such a way that you need to be able to log in or unlock the screen with your password is a thing. https://stackoverflow.com/questions/22532870/encrypted-cooki...

Otherwise there would be no point in such projects as node-keytar.

[nemothekid]

>Otherwise there would be no point in such projects as node-keytar.

On Windows, the DPAPI (which node-keytar uses) does not protect against physical access. Here's a nifty GUI tool that is easily found with Google: https://www.nirsoft.net/utils/dpapi_data_decryptor.html

On Windows, DPAPI may protect you against unprivileged code execution, but it will not protect you against a privileged RCE or someone physically mounting your unencrypted hard drive.

I'm not sure what the state of the art in Linux or OS X's keychain is, but I wouldn't be surprised if they don't try to protect against that threat vector as well.

[benatkin]

From that page: "If the DPAPI data was encrypted with the logon password, you have to enter this password in the 'Windows Login Password' field."

[nemothekid]

And how many people do you know enter their logon password every time they start Chrome?

EDIT: I looked into it a bit more, and the particular workaround I was thinking of may have been patched sometime between Windows 8 and Windows 10.

[benatkin]

I already went over this. Quoting myself:

> You could argue that the number of people who protect their computer by password but don't encrypt their disks is too small or isn't worth worrying about. But I know that there is a significant portion of users that has it set up this way.

It isn't before starting Chrome. It's when unlocking their screen or when starting up their computer.

A typical scenario for having your laptop stolen is being robbed while carrying your laptop in a backpack. If the lid is closed, the screen should be locked, if good password settings were chosen. Better to have the whole disk encrypted, but NSAPI provides some security for those who only have passwords set.