I don't see how this debate is apropos. Whether or not the passwords are stored in the clear, or obscured with symmetric encryption using hard coded parameters in chrome is irrelevant. Both of these scenarios are entirely unacceptable.
That said, the answer here afaik is they're stored with a key generated with pbkdf2 using a password of "peantus" and a salt of "saltysalt" and 1 iteration. I think that because I know 100% this is how the Cookies work having examined the source in OSCrypt which is in os_crypt_linux.cc which I assume handles passwords too. Ubuntu is the most popular Linux desktop. It's use is not unique from either OSX or Windows (which uses DPAPI). Both of which have entirely superior solutions to this problem and do not store passwords in clear text, or with hard-coded symmetric encryption. That's not the default anyway. That all said, I will extend https://github.com/EvanCarroll/xbrowser/ to support decoding passwords soon. So you'll have a tool you can run.. The command will be simple, xbrowser export chrome passwords And you'll be able to dump all the passwords. -- You received this bug notification because you are a member of Desktop Packages, which is subscribed to chromium-browser in Ubuntu. https://bugs.launchpad.net/bugs/1996267 Title: [snap] Doesn't store encrypted passwords unless interface is connected Status in chromium-browser package in Ubuntu: Confirmed Bug description: In the Snap package of Chromium, Chromium is not protecting passwords with gnome-keyring (or KWallet). As a result, copying the Chromium profile directory from the snap directory gives access to all stored passwords. This is a HIGH security risk. Regular users who are used to storing their passwords in browsers are probably unaware of this. Note that Chromium is started with the command line option “--password-store=basic”. This hack should never have been released to the public. The Chromium documentation states: > --password-store=basic (to use the plain text store) https://chromium.googlesource.com/chromium/src/+/master/docs/linux/password_storage.md To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/chromium-browser/+bug/1996267/+subscriptions -- Mailing list: https://launchpad.net/~desktop-packages Post to : desktop-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~desktop-packages More help : https://help.launchpad.net/ListHelp
