Chromium and saved passwords

In my recent review of “chromium”, I mentioned that it offers to save passwords, and stores them in kwallet.  This suggests that they should be stored in encrypted form, due to the way that kwallet works.

Unfortunately, things may be worse.  I recently tested out “chromium” while logged into Gnome.  And when I visited a site where chromium had a saved password, it filled in the password field.  But I was never prompted for the key to unlock kwallet.

It now looks as if “chromium” is saving the passwords in kwallet, where they are encrypted.  But it is apparently also saving them in an unencrypted (but obscured) file in the user chromium profile directory.

This is not good.

Advertisements

Tags:

About Neil Rickert

Mathematician and computer scientist who dabbles in cognitive science.

2 responses to “Chromium and saved passwords”

  1. carsten says :

    Did you find the 2nd location? Maybe it stores the kwallet password or kwallet even is broken? I do not like it at all.

    Like

    • Neil Rickert says :

      Did you find the 2nd location?

      The user profile seems to be stored in “$HOME/.config/chromium/Default”. There are two files there with suggestive names:

      -rw------- 1 rickert users 12288 Feb 19 14:42 Login Data
      -rw------- 1 rickert users   512 Feb 19 14:42 Login Data-journal
      

      The first of those appears to be an sqlite database. The second is probably control information, such as about how the passwords are obfuscated.

      No, chromium does not store the kwallet password. It does not see that. You are prompted directly by kde-wallet for that.

      This is probably poor programming design. Apparently they added support for kwallet, but did not remove the code that saved the passwords directly in the profile.

      Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: