https://bugs.kde.org/show_bug.cgi?id=450004
michaelk83 <[email protected]> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |[email protected] --- Comment #4 from michaelk83 <[email protected]> --- This is a common issue with many password managers. From what I've read, it's often considered not worth addressing (or rather, barking up the wrong tree) by security people. It's only an issue if someone gains physical access to your PC with an unlocked session. In which case, they can gain access to the passwords by a variety of other ways, and do a lot of other damage. So just hiding the passwords visually becomes quite pointless, and gives a false sense of security. > When you try to use the password on the website it was stored for, > you are not asked again ad again for the master password. This is one easy way to circumvent such hiding. The unauthorized person can simply copy-paste the password from the website form (or worse, gain access the website account). The recommended solution is: 1. Set auto-locking of the keyring/wallet after some short period, so that your passwords are actually protected. 2. Set auto-locking of the session after some short period, to protect against other possible attacks, and set the keyring/wallet to auto-lock when the session is locked. 3. Always lock your session when you leave your PC. Don't leave your PC unattended with an unlocked session. (The auto-locking is there in case you forget, but you should make this a habit.) > I understand a solution would be to close the wallet, or let it close after a > certain period, > but this would bring back the well-known annoyance of KWallet popping up > every 5 seconds > asking for a password, and this is something I am really trying to avoid. There's always a trade-off between security and convenience. You can set the lock timeout a little longer. -- You are receiving this mail because: You are watching all bug changes.
