On 15/11/2023 03:05, Anssi Saari wrote:
Max Nikulin writes:
For Chromium it is better to have a password manager
(gnome-keyring/kwallet/keepassxc/etc.) with D-Bus interface. It needs
a key to encrypt passwords saved in browser and likely cookie store.
Encryption is not applied otherwise.
What about Firefox then? Does it work with password managers with a
D-Bus interface?
If you have passwords saved by Firefox or Thunderbird then you have to
set master passwords in these applications. It is not integrated with
user-wide key rings:
https://bugzilla.mozilla.org/show_bug.cgi?id=1586072
Password Manager using Secret Service (Open bug)
I am unsure it it affects cookies (that may contain long-lasting session
credentials). Perhaps somebody may provide links clarifying it.
E.g. in Thunderbird internal password storage is a way to use gmail
account while having JavaScript disabled. It breaks OAuth2
authorization, so gmail application password (that is not supposed to be
typed every time) has to be used. Certainly an external password manager
is an alternative for passwords (but not for cookies).
On 15/11/2023 04:23, paulf wrote:
Pass(1) sets a timer and removes the password from the clipboard after
that time has expired.
I am unsure if listening for clipboard change events is currently
implemented in browsers. Such feature defeats timeouts. Its fair use is
clipboard managers specifically for ChromeOS, but that might be usable
on other platforms as well.
Just a warning for those who use clipboard managers: I do not think that
xclip, used by pass(1), allows to set e.g.
application/x-kde-passwordManagerHint
https://bugs.kde.org/show_bug.cgi?id=156547
Passwords copied from kwalletmanager appear in klipper
Also worth noting that this system is in my home, behind a firewall,
Usual firewall does not protect against attacks through JavaScript
executed in browsers, so having local network available. There are was
an example of bricked NAS that were available for local networks only.
Browsers may change security policy in respect to such requests, I am
unsure concerning current state of affairs. In additional, collected
data may be uploaded since outgoing HTTPS requests are not blocked.
