'Big Honking Security Hole' or something else?
Dotan Cohen
dotancohen at gmail.com
Tue Oct 19 18:04:56 UTC 2010
On Mon, Oct 18, 2010 at 23:13, Steven Susbauer <steven at too1337.com> wrote:
> On 10/18/10 1:40 PM, Dotan Cohen wrote:
>>
>> As a demonstration of what happens to plain text passwords.
>>
>> Now that the issue is being taken seriously, where is the offending
>> file? No matter how much blame-shifting we do, the fact remains that
>> this is a serious security issue and it's time to fix it.
>>
>
> There is no offending file. gnome-keyring does not store passwords as
> plain text, but provides the ability to retrieve the password if you
> have unlocked (IE: decrypted) the keyring. If you wish to avoid this
> behavior, change the password on the login keyring so it does not
> automatically unlock, or set another keyring as the default keyring and
> manage those passwords separately from the login keyring (so maybe your
> user passwords remain locked until you manually unlock it, but you still
> automatically connect to your wireless network).
>
> Keyrings are stored in the .gnome2/keyrings folder. Run strings and
> you'll not find much of value.
>
i had understood the situation to be that after the password is given,
there exists a plaintext file with the passwords. Rereading the OP, I
see that it is not the filesystem that he was poking around in, but
rather the Password and Encryption Keys application. That is
reasonable, so there is no bug.
Thanks.
--
Dotan Cohen
http://gibberish.co.il
http://what-is-what.com
More information about the ubuntu-users
mailing list