'Big Honking Security Hole' or something else?
steven at too1337.com
Mon Oct 18 11:38:15 UTC 2010
On 10/18/10 3:18 AM, Dotan Cohen wrote:
> On Mon, Oct 18, 2010 at 03:01, Anthony Papillion<papillion at gmail.com> wrote:
>> So, tonight I've been poking around my system and was looking around in
>> the Password and Encryption Keys application. I've stored a few website
>> logins and I notice they are sitting there IN PLAIN TEXT and very readable!
>> While I grant that accessing this information would probably require
>> physical access to the machine (though, maybe, SSH would allow access to
>> it too), isn't this a problem? The fact that usernames and passwords
>> are just sitting there in clear text?
>> Is there something I'm not understanding?
> it may or may not be a problem. Which file, exactly, was the data in?
> Did you previously unlock your keyring?
> I happen to agree that even if the keyring is unlocked the data should
> not be sitting around in plain text.
Change the keyring password to be something separate from the login
password, and you will instead be prompted to unlock it rather than the
PAM module doing it itself. This is an Ubuntu usability decision because
most people don't want to enter a password every time NetworkManager
tries to connect to their network.
These passwords are not sitting around in plain text. They are stored in
a secure state. I agree the behavior of seahorse and gnome-keyring is
not the best, and would prefer it prompt for the keyring password before
showing the stored password, like in the Keychain on the Mac.
A few of the comments in the bug think being able to see passwords at
all is a problem. It is not. You may store passwords which no
application uses to log in, like a password vault. I would certainly
hate to be unable to login to things because my manually stored
passwords are now hidden.
More information about the ubuntu-users