[Navarr]

"ksalt - at least salt is a variable, surely it at least is randomly generated, right?"

> // Salt for Symmetric key derivation.

> const char kSalt[] = "saltysalt";

[dchest]

Obviously, there is no point in using a random salt when your key is public. There will be no point in using salt when they generate a random secure key ("We need to improve this password situation by moving a secure password into a system-level key store.") To be fair, there's no point in key derivation at all if the goal is to have a fixed or randomly generated key, so I don't know what they were thinking. Unless this password is provided by user.

[verandaguy]

Reading this was like seeing a ray of hope being shot down by a minigun.

In seriousness, what gives!? Why are these so simple? Surely a development base as large as Chromium's could pick up on something like this.

[sirclueless]

It's a good software development principle. Make things that are secure look secure. Make things that are insecure look insecure. This is going to be insecure no matter what precautions are taken, because the source is open and the key is part of the binary, so it should look exactly as insecure as it is so no one assumes anything untrue about this code.