[nemothekid]

>Otherwise there would be no point in such projects as node-keytar.

On Windows, the DPAPI (which node-keytar uses) does not protect against physical access. Here's a nifty GUI tool that is easily found with Google: https://www.nirsoft.net/utils/dpapi_data_decryptor.html

On Windows, DPAPI may protect you against unprivileged code execution, but it will not protect you against a privileged RCE or someone physically mounting your unencrypted hard drive.

I'm not sure what the state of the art in Linux or OS X's keychain is, but I wouldn't be surprised if they don't try to protect against that threat vector as well.

[benatkin]

From that page: "If the DPAPI data was encrypted with the logon password, you have to enter this password in the 'Windows Login Password' field."

[nemothekid]

And how many people do you know enter their logon password every time they start Chrome?

EDIT: I looked into it a bit more, and the particular workaround I was thinking of may have been patched sometime between Windows 8 and Windows 10.

[benatkin]

I already went over this. Quoting myself:

> You could argue that the number of people who protect their computer by password but don't encrypt their disks is too small or isn't worth worrying about. But I know that there is a significant portion of users that has it set up this way.

It isn't before starting Chrome. It's when unlocking their screen or when starting up their computer.

A typical scenario for having your laptop stolen is being robbed while carrying your laptop in a backpack. If the lid is closed, the screen should be locked, if good password settings were chosen. Better to have the whole disk encrypted, but NSAPI provides some security for those who only have passwords set.