Keyring passwords visible after login without second password prompt

[P4man]

I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

While its certainly a good idea to enable that, using your logic its another false sense of security, since anyone could move the mouse to restart those 15 minutes endlessly. In the real world you also often expect to return to your pc instantly but while walking back with your cup of coffee you get called away, meet someone, you stumble and break a leg.
Not too mention opening seahorse and printing a printscreen would take less than 1 minute. No too mention the fact my "lock screen" doesnt work for some reason

For all those cases it would be nice if seahorse did not make it so blatantly easy to obtain my passwords.

[the.lost.one]

What comes to people not being absolutely trustworthy or absolutely untrustworthy, I don't see what that has to do with you letting them use your personal user account when there's the Guest Session available.

Quite a bit of people don't think that it has nothing to do with it. If I, say, make my hypothetical new girl friend log in as guest, that sends her the signal that I don't trust her. I might trust her with using my computer but I don't want her to know every single password in keyring. You can say thats normal, she should understand and I should try to change how she thinks. But you know what? I'd rather change how my passwords are stored instead of how the girl friend thinks.

This is just one if the many scenarios in which it will be useful to have this feature or security layer, whichever way you wanna look at it.

Even better, that would be quite a polite thing to do anyway since perhaps the person using your computer doesn't quite trust you and might like to keep his browsing history secured from you.. Letting him use the guest session instead of your own brings security to both, you and the guest.

Is that true? Because it appears that if I have sudo password I can install malicious software for all users including guests?

[mcduck]

Is your timeout set for 30 seconds? if not your unprotected until the screensaver kicks in.

lap belts in cars can cause injury,by your logic your better off not being straped in?
FAIL

It's 2 minutes. At least that's a lot better than letting anybody always to have a free access to the system. And pretty much enough to make sure nobody has enough time to find that my machine is unattended and unlocked and access it, at least in the time that's left after I've left the room... Still, this far I haven't forgotten to lock the machine myself, and even if I would I wouldn't blame it on anybody else than myself..

And FAIL yourself. As long as you know that some system is not secure you know that you are yourself responsible, and know to take required actions to prevent damage. With the false security you imagine that the system is secure enough that you don't need to take any responsibility yourself.

Your seat belt analogy might be correct if using seatbelts woud actually create very little extra safety (or no safety at all) but were still marketed as something that would protect you ~100% in case of accidents. If that was the case then yes, I wouldn't bother strapping myself in. (In reality seat belts actually bring considerably more security than cause damage, so I'm using them).

[scorp123]

It's reasonable to wonder why passwords for things other than your local computer can be viewed in clear text without entering a password. Even Windows doesn't allow that.

There is a tool called "SnadBoy Revelation". Go and Google it. With it you can unmask any password Windows is "protecting". So even if Windows doesn't show the password it's easy for a user-space application such as "SnadBoy" to find it in the RAM and reveal it.

At least with Linux you know right away what you're dealing with.

[the.lost.one]

Quote:
Originally Posted by mcduck
I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

How inconvenient it would be if I have to unlock the screen after every 5 minutes! Plus, for for those 5 minutes, even a noob can get my passwords.

Edit:
If I am a reporter in a war zone I would wear a helmet and bullet proof vest and not when I am going shopping in a peaceful area.

[mcduck]

Is that true? Because it appears that if I have sudo password I can install malicious software for all users including guests?

Of course you can, if you are the admin of the machine.

If we must be this pedantic about details then let me put it this way: letting guest users use guest account instead of your own will bring you considerably better security, and the guest user better security than using your account would. Still, the guest user is using your computer and thus must have some level of trust towards you and accept the fact that the machine is still yours and runs software you have installed and configured.

[mcduck]

Quote:
Originally Posted by mcduck
I really need to repeat this once again? I've mentioned this at least 5 times in this thread now:

Both Gnome-screensaver and the power manager allow you to set the session to lock automatically. Just enable that if you feel that you might not remember to lock the session yourself.

How inconvenient it would be if I have to unlock the screen after every 5 minutes! Plus, for for those 5 minutes, even a noob can get my passwords.

Then perhaps you could try to lock them machine yourself? Most peoople don't really have any problems remebering to lock their home doors, their cars, remeberign to take their ATM cards out of the ATM machine after withdrawing some money etc.. I don't see how remebering to lock your computer would be som much harder than those things are.

And even if the machine would only unlock after those 5 minutes, it would still be more secure than not unlocking it at all. I once again need to repeat myself, but getting the keys out of the keyring on an unlocked session doesn't require any programming skills, just a bit of cunning. (I'd rather not start describing the ways the keys can actually be accessed without using the keyring manager and writing any programs. Besides, at least one method has already been mentioned in this thread. The point is that the keys are still accessible as plain text through the programs that already exist in your system and use those keys.)

[benj1]

I would also like to know why is it that Empathy, Pidgin use keyring but aMSN does not? If the Ubuntu developers can make some applications use keyring, why not make the applications encrypt passwords themselves?

pidgin doesnt use the keyring, it stores its files in plain text
http://developer.pidgin.im/wiki/PlainTextPasswords
you can have applications encrypt the passwords them selves, unfortunately, because most of the apps we use are open source the encryption method is on show, so either you require another password, or you have a useless encryption method.

Currently, as some people have mentioned that all applications have access to keyring once a user is logged in. Why not have a system where ONLY the applications a user authorise can access keyring? And no it wont be a bother because one has to type the password the first time one is saving it. After that only the "xyz" application i have authorised would automatically access the password.

That way even if someone tries to run a script to get all my passwords, they wont be able to because their script wont be authorised to access keyring.

first does that mean you wouldnt allow seahorse access to the passwords?
second this indicates that you have an app on your system that you dont trust, that is a bigger security flaw than having passwords on show, again the apps are open source the app can just rip all the stuff out of trusted app to make it appear that it is a trusted app.

[snkiz]

And FAIL yourself. As long as you know that some system is not secure you know that you are yourself responsible, and know to take required actions to prevent damage. With the false security you imagine that the system is secure enough that you don't need to take any responsibility yourself.

First off, the timer resets if you touch the keyboard or mouse so thats a false sense of security. second most don't know the system is that insecure. Ubuntu and Gnome has done nothing to inform the user. Third it would be far easier for me to just remove the keyring altogether then to stay here arguing the function of seahorse. so I am taking responsibility, for newbies that don't know any of this.

[snkiz]

pidgin doesnt use the keyring, it stores its files in plain text
http://developer.pidgin.im/wiki/PlainTextPasswords
you can have applications encrypt the passwords them selves, unfortunately, because most of the apps we use are open source the encryption method is on show, so either you require another password, or you have a useless encryption method.

Not true open source encryption depends on a random key. even with the source for the encryption method you still need that key.