[teraflop]

This is misleading. If you follow the links to the Chromium bug tracker, you'll note that Chrome integrates with the GNOME and KDE encrypted password managers when they're available. If they're not, it falls back to storing passwords itself with obfuscation, which is the best it can do. (On Windows and OS X, it uses CryptProtectData and the Keychain API, respectively.)

https://code.google.com/p/chromium/wiki/LinuxPasswordStorage

[justinschuh]

That's a bit out of date, because libsecret is supported as well: https://code.google.com/p/chromium/codesearch#chromium/src/c...

But yeah, it pretty much looks for any sort of secure credential manager and falls back to the fixed key only when nothing is available.

[nly]

Here's a question: why isn't there a de facto desktop independent password/key/secret manager for Linux? The Linux kernel has userland crypto apis built-in, why aren't we using them? At most, only the manager/permissions UI should be desktop dependent.

[krakensden]

There is- it's called libsecret, and it's used as a cross-platform backend for both the Gnome & KDE secret managers, which are 'just' guis for it. I don't actually know if it uses the Linux kernel's apis, but it's supposed to do a pretty good job.

[mhogomchungu]

The biggest issue with libsecret and with KWallet is that once a wallet is opened by one application,every other application can get all the contents of that opened wallet.

In GNOME,the wallet is opened by the login manager and that means all the contents of the wallet are available to all processes run from the logged in user account.

KDE refused to have the above behavior of the login manager opening the wallet and hence after login,there must be atleast one application that will have to open the wallet and then the behavior will be the same as libsecret.

Lots of people who use these two storage systems are not aware of the above.

I dont like the above behavior as i want each application to manage its own private wallet and i created lxqt_wallet[1] to give me the behavior i want.

The project also supports libsecret and KWallet for those who prefer these backends.

[1] https://github.com/mhogomchungu/lxqt_wallet

[zanny]

The UX of kwallet is awful, and everyone I put on KDE I always use a blank wallet password so they are not badgered by "enter password to unlock wallet" prompts.

Yes, its insecure to have the user session act as an unlock on a cryptographic store like that. It looks like lxqt_wallet is even worse on that front in terms of UX - yes, its more secure for every program to have its own secret stores and require prompts to unlock them, but average desktop users just want to login and have that unlock their secret stores, pretty much like Gnome does it.

What you really want is MAC on secrets. Applications that add to the secrets database get implicit access to those secrets in the future, but first access should require user permission before an application can start accessing your credentials for other accounts. You don't really need anyone to reinput a password, just prompt users "Kfoo wants to access your account neckbeard@gmail.com, allow?" with allow / deny choices, or make it an option in the wallet GUI.

You could probably even integrate it into current MAC solutions. Make it a VFS somewhere in var, and have your distro ship sane defaults like letting the sanctioned im client (both are based off telepathy nowadays) access the secrets store on a whitelist of domains, like @gmail, @chat.facebook.com, etc.

[mhogomchungu]

> It looks like lxqt_wallet is even worse on that front in terms of UX - yes, its more secure for every program to have its own secret stores and require prompts to unlock them, but average desktop users just want to login and have that unlock their secret stores, pretty much like Gnome does it.

lxqt_wallet supports 3 backends: kwallet,libsecret and internal one that gives the behavior i explained above.

Each backend has its pro and cons and the project lets the user pick which one works best for them.

There need to be a general purpose secure storage system that can accommodate users who wish to not have their secrets that are meant to be used by only one application be exposed to all other applications.

[nly]

KWallet in KDE4 doesn't seem to be using libsecret. Is this a KDE 5.x thing?

[dd9990]

It's being called KSecret Service afaik (https://barlog.rusu.info/valentin/blog/?p=411).

[runiq]

And it still uses libsecret under the hood.

[jryan49]

I use pass and pass-dmenu since I don't use a DE. http://www.passwordstore.org/

[tinco]

I wonder if there's a definitive list somewhere of what features operating systems should have in order to be proper for running a generic server or desktop.

There's so many blurry lines there. I agree that a secret store is best done as a system level service, but it's so hard to standardize on one api, and yet so easy for a shitty one to become de facto (I.e. X.org).

[wtbob]

> If they're not, it falls back to storing passwords itself with obfuscation, which is the best it can do.

No, the best it could do is to have a master password, provided at launch.

I'm really concerned about the extent to which neither Google nor Mozilla actually cares about user security. No plaintext password should ever live somewhere outside of the user's head; no password encrypted with a user-memorable password should live outside of a computer under the user's physical control. Thus, passwords (and other private data) on remote systems should always be encrypted with secure keys, themselves generated on the user's device and encrypted on his device with his memorable password.

The facts that by default Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers, and that Mozilla utterly destroyed the security of their sync system, are utterly sickening.

[carussell]

> Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers

You're going to need to qualify that statement.

> Mozilla utterly destroyed the security of their sync system

You're going to need to qualify that statement.

[wtbob]

> > Google will store your website and WiFi passwords (along with your emails and pictures) in plaintext on their servers

> You're going to need to qualify that statement.

They store that information such that they can read it. Yes, it may actually be encrypted with a key they have access to, but it's effectively plaintext because they can read it.

> > Mozilla utterly destroyed the security of their sync system

> You're going to need to qualify that statement.

https://blog.mozilla.org/services/2014/04/30/firefox-syncs-n...

Your master key is stored on their servers, encrypted with a key derived from your password. That's pretty bad already, since user-memorable passwords are highly susceptible to guessing. It gets worse though, since they use Mozilla-served JavaScript to log you into your Firefox account—which means Mozilla could choose to serve someone different JavaScript and steal his password.

All it would take is a court order, and they could be forced to do it.

[kuschku]

About the first thing: he means that Google stores them in a way so that they can access the data – instead of doing end to end crypto with a password derived key.

[asuffield]

It's only true because he's stuck the words "by default" in there. The button to set a password-based key is in the menu and then it does end-to-end crypto.

If you don't give it a key, it does the best it can with an impossible problem.

[kuschku]

Technically, due to having a Google Account, there would be a way for that.

And if you set a master password for Chrome mobile, you can still access everything without this password on desktop chrome, and in reverse.

As you are logged into your Google account anyway, though, they should just use your account identifier as seed for the key if no other option is available.

[newuser88273]

Expecting privacy (or privacy-preserving security) from Google products has always been folly.

Mozilla used to be different. However, when Brendan was purged, first doubts may have arisen. Now that we also see cyber-bully Klabnik on their payroll, the probability has risen sharply that Mozilla has been successfully subverted into a political pressure group.

Since Mozilla now is enrolled in support of the dominant ideology, it has no incentive for supporting privacy anymore, either: The dominant ideology wants minority opinion holders to be outed and ostracised.

[lolpep8]

How could I not think of that! Hiring a kind of SJW-ey guy to write Rust docs is just a small step in the direction of clear-text passwords and the removal of HTTPS from Firefox. Better switch to Gnome Web, then.

[newuser88273]

If Mozilla was a-political, Klabnik couldn't work there if Brendan couldn't. He can, and Mozilla isn't.

Actually, the politicalization of Mozilla means that everything technical will lose priority over time.

[icebraining]

There's no such thing as an apolitical organization; their very structure is based on underlying political beliefs.

[rmrfrmrf]

Mmk.

[erikb]

I'm not good at security stuff, but is a hardcoded password not much worse than any string written to some kind of config database but that is different for every program installation or system user?

[sorbits]

It’s about the same, as anyone would be able to read the generated password from the config database (since where to store it would still be hardcoded in the binary).

[__mp]

I wonder how many people are using KDE or Gnome these days. I'm pretty sure I'm using something other than KDE and Gnome on my Linux installs.

[keithpeter]

Debian Popularity Contest can tell you a few things...

Just over half of those participating have installed Gnome/KDE/Cinnamon

https://qa.debian.org/popcon-graph.php?packages=gnome-shell%...

And it looks as if about a quarter totally are using Gnome/KDE/Cinnamon regularity (rest could be switched off of course!)

https://qa.debian.org/popcon-graph.php?packages=gnome-shell%...

Popcon statistics are notoriously hard to interpret though so a large pinch of salt needed.

https://joeyh.name/blog/entry/the_popcon_problem/