Keyring passwords visible after login without second password prompt

[MacUntu]

Anyone care to share steps to reproduce?

Besides I'm totally with replies #2, #3, and #15.

[humphreybc]

Anyone care to share steps to reproduce?

Besides I'm totally with replies #2, #3, and #15.

1. Restart your computer and login, make sure you never enter any passwords after your desktop has loaded. Don't do any sudoing or anything.

2. Go to Applications > Accessories > Passwords and Encryption Keyrings

3. Click on the 'login' folder to drop down and view programs that store data here.

4. Double click on something you want to look at.

5. Click Password to show some dots, then uncheck the box below the dots marked "Show password"

6. Note that throughout this whole procedure, not once were you prompted to enter in anything that verifies you are authorized to view this information.

Ways to solve: Change how this data is stored or prompt to enter in your user password to view your user data.

[MacUntu]

I've asked because that's exactly what I did and I couldn't reproduce it. Do you have autologin enabled? Maybe an empty keyring password?

[the.lost.one]

Whats the point of having a keyring password when that password is never ever asked?

Those who do not agree to having a choice for prompting for password, should remove their user passwords and remove even the option to have user login passwords. After all you guys are saying rely ONLY on physical security. Because according to your view, locking the screen is useless as well since anyone can access your data through a live CD/DVD.

[the.lost.one]

I've asked because that's exactly what I did and I couldn't reproduce it. Do you have autologin enabled? Maybe an empty keyring password?

Did it ask you to enter a password or just click the allow button?

[MacUntu]

Ha, got me - yes, I now can reproduce it. Autologin enabled, non-empty keyring password.

[humphreybc]

Hmm I don't have Auto login enabled. I'm pretty sure my keyring has a password, I just did a fresh install though... how to check?

[Keyper7]

Those who do not agree to having a choice for prompting for password, should remove their user passwords and remove even the option to have user login passwords. After all you guys are saying rely ONLY on physical security. Because according to your view, locking the screen is useless as well since anyone can access your data through a live CD/DVD.

The keyring only allows the user, logged in, to access the passwords. A live CD/DVD wouldn't work.

The Gnome keyring is based on three simple principles:

1) If someone is logged in as user X, he is user X and has already proved his identity at login.

2) If someone is not logged in as user X, he is not user X and cannot see the passwords of user X. That includes the live CD user.

3) In the unlikely event that someone logged in as user X is NOT user X and has malicious intentions, the mere fact that this person is using user X's account is already a massive security hole as far as personal info is concerned. Imposing security restrictions for this situation is sacrificing usability for minimal security gain.

For more info, see the security philosophy of Gnome keyring.

If you disagree with this, go discuss in the keyring mailing list. But do not report bugs, this is by design.

[humphreybc]

The keyring only allows the user, logged in, to access the passwords. A live CD/DVD wouldn't work.

The Gnome keyring is based on three simple principles:

1) If someone is logged in as user X, he is user X and has already proved his identity at login.

2) If someone is not logged in as user X, he is not user X and cannot see the passwords of user X. That includes the live CD user.

3) In the unlikely event that someone logged in as user X is NOT user X and has malicious intentions, the mere fact that this person is using user X's account is already a massive security hole as far as personal info is concerned. Imposing security restrictions for this situation is sacrificing usability for minimal security gain.

For more info, see the security philosophy of Gnome keyring.

If you disagree with this, go discuss in the keyring mailing list. But do not report bugs, this is by design.

Thanks for clarifying. I guess this does make sense. But then why do I have to enter in my password for a whole host of other things, when I have already proved that it's me at login?

And also, Ubuntu can run for a long amount of time without being rebooted or logged in/out, so surely there should be some sort of timer, perhaps 3 hours, where the user needs to re-prove that it is still the correct user when he/she tries to access seahorse passwords in the keychain.

All I'm saying is that it would be simple to add in a prompt for you to enter in your user password before you are allowed to see the passwords for these things.

The email account and password in particular is very sensitive and important to most people, so more should be done to protect any access to these sorts of user details.

Just my opinion.

[Peter09]

I find this to be poor security because it assumes that the security level of passwords stored on the machine relate to the level of security of the machine itself.

e.g. Lets say a user is working in an open environment where colleagues and passers by will have intermittent access - say while the person goes for a coffee. This is ok because a) the user is never away very long and b) there is no secure information on the actual machine.

However there may be times when the user accesses a more secure environment, say a particular WiFi network, located elsewhere, even his own personal network at home. Under these circumstances a casual viewer can easily gain access to passwords and keys.