> > According to the chromium documented cited, this is wrong. > > If it applied a rot13 to your password
...it would be the same security level against anyone who has ever read anything about security as storing it plaintext. That is just obfuscation. The point was not that it is plain text. The point was that it is unsafe. And your cited discussion thread jdstrand also refers to the situation as > with it not connected the passwords are stored in effectively plaintext on > disk If there is no (secure) secret, there is no added security level. > > For many people an autoconnect for the password-manager-service would > > probably solve this > > Then you're welcome to follow up in [1], in which the automatic connection of > the interface has been > declined. I cannot override the policy reviewers' decision. referring to that thread is a sensible answer; probably there should be a feature request for an auto-connection to some kind of restricted password manager (where a snap can only write and read its own passwords), which may be manually connected to one of the usual password managers if the users decide so. if what jdstrand writes is true.. > Other snaps that plugs password-manager-service also have access to chromium’s passwords. .. i think the current password manager situation (all connected snaps sharing passwords) is kind of broken. Probably the same kind of broken like on a normal desktop, but snaps are supposed to sandboxed. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1996267 Title: [snap] Doesn't store encrypted passwords unless interface is connected Status in chromium-browser package in Ubuntu: Confirmed Bug description: In the Snap package of Chromium, Chromium is not protecting passwords with gnome-keyring (or KWallet). As a result, copying the Chromium profile directory from the snap directory gives access to all stored passwords. This is a HIGH security risk. Regular users who are used to storing their passwords in browsers are probably unaware of this. Note that Chromium is started with the command line option “--password-store=basic”. This hack should never have been released to the public. The Chromium documentation states: > --password-store=basic (to use the plain text store) https://chromium.googlesource.com/chromium/src/+/master/docs/linux/password_storage.md To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1996267/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : [email protected] Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
