Hacker News new | ask | show | jobs
by benatkin 2543 days ago
You have the encrypted cookies. You can't use the encrypted cookie to login with gmail.

It might only encrypt some of the cookies, but encrypting cookies in such a way that you need to be able to log in or unlock the screen with your password is a thing. https://stackoverflow.com/questions/22532870/encrypted-cooki...

Otherwise there would be no point in such projects as node-keytar.
1 comments
nemothekid 2543 days ago
>Otherwise there would be no point in such projects as node-keytar.

On Windows, the DPAPI (which node-keytar uses) does not protect against physical access. Here's a nifty GUI tool that is easily found with Google: https://www.nirsoft.net/utils/dpapi_data_decryptor.html

On Windows, DPAPI may protect you against unprivileged code execution, but it will not protect you against a privileged RCE or someone physically mounting your unencrypted hard drive.

I'm not sure what the state of the art in Linux or OS X's keychain is, but I wouldn't be surprised if they don't try to protect against that threat vector as well.

link
benatkin 2543 days ago
From that page: "If the DPAPI data was encrypted with the logon password, you have to enter this password in the 'Windows Login Password' field."
link
nemothekid 2543 days ago
And how many people do you know enter their logon password every time they start Chrome?

EDIT: I looked into it a bit more, and the particular workaround I was thinking of may have been patched sometime between Windows 8 and Windows 10.

link
benatkin 2543 days ago
I already went over this. Quoting myself:

> You could argue that the number of people who protect their computer by password but don't encrypt their disks is too small or isn't worth worrying about. But I know that there is a significant portion of users that has it set up this way.

It isn't before starting Chrome. It's when unlocking their screen or when starting up their computer.

A typical scenario for having your laptop stolen is being robbed while carrying your laptop in a backpack. If the lid is closed, the screen should be locked, if good password settings were chosen. Better to have the whole disk encrypted, but NSAPI provides some security for those who only have passwords set.

link