Bug 78505 - wallets require a password
Summary: wallets require a password
Status: RESOLVED FIXED
Alias: None
Product: kdelibs
Classification: Frameworks and Libraries
Component: kwallet (show other bugs)
Version: 0.1
Platform: unspecified Linux
: NOR wishlist
Target Milestone: ---
Assignee: George Staikos
URL:
Keywords:
: 80857 82247 (view as bug list)
Depends on:
Blocks:
 
Reported: 2004-03-26 19:08 UTC by Flavio Stanchina
Modified: 2008-09-19 02:52 UTC (History)
6 users (show)

See Also:
Latest Commit:
Version Fixed In:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Flavio Stanchina 2004-03-26 19:08:55 UTC
Version:           1.0 (using KDE 3.2.1,  (testing/unstable))
Compiler:          gcc version 3.3.3 (Debian)
OS:          Linux (i686) release 2.6.4-athlon

While a password is useful on wallets for shared or otherwise unprotected accounts (for example, mom doesn't want to enter password at login), I find it quite uncomfortable that I *have* to password-protect a wallet. The whole point of having passwords stored somewhere is not having to type them -- *any* of them; and by the way, if someone is already logged in with my account I don't care if he can access stored passwords, because he already has access to a lot of other sensitive information.

Mozilla, for example, doesn't require a master password on the password manager.

There should be a very prominent warning when the user sets no password on his wallet, but *please* allow it.

See also bug #70332
Comment 1 Dan Bullok 2004-04-11 20:35:18 UTC
PLEASE consider adding this feature.  Those of us that are aware of the security implications should be able to make the decision to not use a password.  The chances of someone with sinister motives having access to my machine while I'm logged in are extremely low.  However, the chances of me having to repeatedly enter my kwallet password are about 100%.  Analyzing the risk/benifit of each choice, I'm choosing no password.
My pc is behind TWO firewalls, in a home with a burgler alarm and my 220 pounds of whoop-ass protecting it.  If someone nasty can get past all that, they're welcome to the passwords (most of them are to stuff like bugs.kde.org, forums.gentoo.org, IBM's alphaworks and Sun's download page anyway - I'm not going to lose sleep over the life-altering consequences of these passwords being divulged).
Comment 2 David Findlay 2004-04-22 14:12:43 UTC
I agree with this too. I've already logged in, I don't want to have to enter my password again to do stuff. Maybe if it would be possible for mail and kopete not to require entry of the password, but stuff like bank logins to do. Thanks,

David
Comment 3 Mika Myllynen 2004-04-23 17:54:30 UTC
Also (strongly) agree. Although kwallet is awesome otherwise, it's highly annoying to enter login details and right after KDE is up to be prompted for password AGAIN when kopete starts. Please consider adding option to disable master password usage.
Comment 4 George Staikos 2004-05-03 22:02:30 UTC
*** Bug 80857 has been marked as a duplicate of this bug. ***
Comment 5 Paulo Fidalgo 2004-05-14 19:19:16 UTC
well, I think the best option is not to disable it, but give the option for passwordless. So the users that want's to protect their passwords can protect it, and the users that don't care about protecting doesn't proctect.

That's one solution that makes everybody happy ;)
Comment 6 Flavio Stanchina 2004-05-14 20:25:41 UTC
That's of course what I meant when I originally filed this bug. There's no question that password-protecting your wallet is often a good idea, but in my case I'm relying on the operating system's provacy and security features to keep nosey family members out, and I wouldn't store sensitive passwords anywhere anyway.
Comment 7 Jason Keirstead 2004-05-14 20:52:57 UTC
I agree 100%. I don't care about KWallet's "security" at all, all I want is the convience of not having to type in passwords everywhere.

If someone is to the point where they have broken into my house to access my PC ( about the only way they could read a file on my machine, aside from some remote exploit bug in both my router and SSH ), then the safety of my slashdot password is my least concern.

Comment 8 Casey Allen Shobe 2004-05-14 23:29:45 UTC
I think that a passwordless kwallet should furthermore be the default.  Then every application can use kwallet without using it's own storage mechanism, and without asking you.  My roomate once accidentally clicked cancel when the kwallet dialog showed up, so now we have no idea how to make the application use kwallet (and just as good, because he doesn't want to be bothered with any passwords besides the initial login anyways).

The kwallet dialog should still appear upon first use, but instead of a very confusing "here's this weird and confusing thingy, do you want to use it?", it would simply be "Do you want to protect all of your passwords with a password?", the default otherwise being to use a wallet with no password.

Thus the extra security is there for those who care, it's not a headache for the vast majority of us who don't worry about our accounts being compromised, it's less confusing for the end user, and there's less code for the developers.  Sounds to me like a win all around, with no cons.
Comment 9 Janis Blechert 2004-05-21 11:36:30 UTC
I guess I just have to say 'yes' now..
Comment 10 Maksim Orlovich 2004-05-26 15:38:58 UTC
*** Bug 82247 has been marked as a duplicate of this bug. ***
Comment 11 Bip Thelin 2004-05-27 11:58:48 UTC
I'm not sure which password you use when you authenticate to KWallet? I use(or
is it the same) as my normal login password. So if those are the same(shouldn't
they be?) couldn't just a Single Sign On happen for KWallet.
i.e: I have password XXX, I log into KDE from KDM and I automatically get's SSO:d
into KWallet since KDE knows who I am and that I'm logged in. i.e. If I don't log
in with a password but with a smartcard I'd also get SSO:d into KWallet 'cause
KDE tells it who I am and that I'm logged in. I mean shouldn't the authentication
of KWallet be integrated with KDE? When you lock your machine KWallet gets locked.
When you unlock your machine KWallet get's unlocked. and so on..

just my €0.2
Comment 12 Bart Verwilst 2004-05-27 12:04:14 UTC
I agree, this would be the best way to handle this i think.. Then the user doesn't need to receive a first-time popup, since a new kwallet (if one doesn't exist) can be created automatically at the first login, and encrypted with the user's password. If people really don't want to use the wallet, there could be an option in kcontrol or something that disables it.. Locking the screen locks the wallet, same as logging out (duuh ;) ).. Would be great IMHO ;)
Comment 13 Jason Keirstead 2004-05-27 13:38:45 UTC
This isn't a solution because a) not everyone uses KDM, b) If you didn't use KDM such a scheme would still require a password.

The whole point of this bug is there are many who simply *do not care* about the security features of kwallet, we simply want a handy password / form saver tool like Mozilla / IE has.

Comment 14 Bart Verwilst 2004-05-27 13:47:57 UTC
Hm, that's true indeed :) didn't think of that :) Ignore my previous comment ;) Although it would be nice to have :p
Comment 15 Casey Allen Shobe 2004-05-27 21:40:08 UTC
There's no advantage of having the same password for the wallet and your user account as having no password on your wallet in a file only your user can read.

Also how would you propose changing the wallet password when your system password is changed by root on the command line?

If you're overparanoid about the root account, then you shouldn't be saving passwords on that machine...moreover you shouldn't ever be entering a password anywhere using that machine.  Root can log keystrokes or whatever else he likes.

The ONLY advantage of having a password on a wallet is that you can copy your wallet file to a place others can read (i.e. your public website), without worrying about them reading your passwords, or if you fear the general public may access your account.  Why you would conduct such activity or have such a weak security policy I have no idea.  If your machine's security is crap and somebody has root access, all is lost anyways.

But tell me, doesn't kwallet support this already?  Konqueror never asked/asks me for a kwallet password, but it uses kwallet to store all of my passwords quite happily.  I had no big annoying and confusing "Welcome to KWallet Setup" popup, it just simply worked.  Is the problem simply in implementation by other applications?
Comment 16 Dominique Devriese 2004-05-27 21:51:43 UTC
Casey Allen Shobe writes:

> There's no advantage of having the same password for the wallet and
> your user account as having no password on your wallet in a file
> only your user can read.

Technically, there is an advantage, namely because if a hacker gets
access to your account, he didn't necessarily get it by using your
password ( much more likely he didn't ) and since IIUC, the kwallet
data is encrypted with the password, he needs the password to gain
access to the kwallet data.  This means there is still a border
between having access to your account and having access to your
kwallet data.

> Also how would you propose changing the wallet password when your
> system password is changed by root on the command line?

There is no reason why the two passwords need to be the same.

But I agree that the kwallet password is not very useful, and very
annoying for users and that it should default to
not-password-protected.

cheers
domi

Comment 17 Casey Allen Shobe 2004-05-28 10:43:33 UTC
> Technically, there is an advantage, namely because if a hacker gets 
> access to your account, he didn't necessarily get it by using your 
> password ( much more likely he didn't ) and since IIUC, the kwallet 
> data is encrypted with the password, he needs the password to gain 
> access to the kwallet data.

If he has access to your account, he can monitor the kwallet password prompt process and learn the kwallet password anyways next time you type it.
Comment 18 Dominique Devriese 2004-05-28 10:56:08 UTC
Casey Allen Shobe writes:

>> Technically, there is an advantage, namely because if a hacker gets
>> access to your account, he didn't necessarily get it by using your
>> password ( much more likely he didn't ) and since IIUC, the kwallet
>> data is encrypted with the password, he needs the password to gain
>> access to the kwallet data.

> If he has access to your account, he can monitor the kwallet
> password prompt process and learn the kwallet password anyways next
> time you type it.

Yes, but this is not all that easy and requires you using the kwallet
etc.  I was just pointing out there's an extra step that a
hypothetical cracker would have to go through, so security-wise there
is a certain advantage.

cheers
domi

Comment 19 Casey Allen Shobe 2004-05-28 11:08:00 UTC
In regard to the question about Konqueror's kwallet implementation versus other kwallet implementations - I think I misinterpreted things.  When I log in to KDE, Kopete starts, and thus I get a kwallet password prompt, and enter my password.  Thus, the wallet is open, for any application - including Konqueror, until such a time that I log out; because I never close Kopete and just restart it when it crashes.

This makes kwallet's "security features" a bit more pointless, because unless I close every application accessing the wallet, all of my passwords are wide open for public viewing with no password prompt, within kwallet's kcontrol module.  My kwallet password is stored in user-accessible memory of course, so assuming I'm logged in when this "hacker" gets to my account, he's got all of my passwords anyways, without waiting for me to enter it again.

If I'm not logged in, then my machine is turned off, making cracking my computer's security even harder than it already is.  So, computer off, or danger of password exposure.  No different than before kwallet, just more annoying ;-).

I still think kwallet is useful though, because every application can use one password/data-saving mechanism, and I can theoretically easily backup the wallet of saved data.
Comment 20 Casey Allen Shobe 2004-05-28 11:10:07 UTC
> I was just pointing out there's an extra step that a 
> hypothetical cracker would have to go through, so security-wise there 
> is a certain advantage.

Yes, you are correct.  The hypothetical cracker (ahhh, finally a correct term :-D) would have to be a bit more intelligent.  He couldn't just use 'cat <filename>' ;-).
Comment 21 Grzegorz Jaskiewicz 2004-05-28 11:18:48 UTC
On Friday 28 May 2004 10:08, Casey Allen Shobe wrote:

> If I'm not logged in, then my machine is turned off, making cracking my
> computer's security even harder than it already is.  So, computer off, or
> danger of password exposure.  No different than before kwallet, just more
> annoying ;-).
>
> I still think kwallet is useful though, because every application can use
> one password/data-saving mechanism, and I can theoretically easily backup
> the wallet of saved data.

Thats why in the real world, passwords are still stored in memory in scambled 
version, on always as original, because this would require it to store 
KWallet password. 

There is no doubt, the only way to achieve perfect (almost) security here is 
to ask for password to KWallet everytime. As we clearly head opposite way, I 
guess only choice is to make it harder to attacker. To keep unencrypted 
passwords in memory makes it very easy to someone with root 
privs., /proc/<PID>/... shows processes memory, /dev/kmem, and he's done :-)

Comment 22 Jason Keirstead 2004-05-28 13:38:31 UTC
On May 28, 2004 06:18 am, Grzegorz Jaskiewicz wrote:
> Thats why in the real world, passwords are still stored in memory in scambled 
> version, on always as original, because this would require it to store 
> KWallet password. 

I would not say "in the real world" here. I would ventrue the # of programs that actually store
passwords "scrambled" or encrypted in main memory would be extremely low. More like
"in the paranoid world"  - see my next comment.

>To keep unencrypted passwords in memory makes it very easy to someone with root 
> privs., /proc/<PID>/... shows processes memory, /dev/kmem, and he's done :-)

Er.... so, someone with mallicious intent, a hacker or whoever, is already logged into your
compromized machine, is already root, and you are concerned with KWallet passwords? He
can read the raw memory or TCP stack, he can intercept the usernames and passwords at any
point along the transmission chain ( not to mention read the KWallet password right off the keyboard
as you type it ).  If someone already has root on your box KWallet's security is totally useless
no matter how you cut it.


Comment 23 Grzegorz Jaskiewicz 2004-05-28 14:11:57 UTC
On Friday 28 May 2004 12:38, Jason Keirstead wrote:
> ------- You are receiving this mail because: -------
> You are on the CC list for the bug, or are watching someone who is.
> You are a voter for the bug, or are watching someone who is.
>
> http://bugs.kde.org/show_bug.cgi?id=78505
>
>
>
>
> ------- Additional Comments From jason keirstead org  2004-05-28 13:38
> -------
>
> On May 28, 2004 06:18 am, Grzegorz Jaskiewicz wrote:
> > Thats why in the real world, passwords are still stored in memory in
> > scambled version, on always as original, because this would require it to
> > store KWallet password.
>
> I would not say "in the real world" here. I would ventrue the # of programs
> that actually store passwords "scrambled" or encrypted in main memory would
> be extremely low. More like "in the paranoid world"  - see my next comment.
>
> >To keep unencrypted passwords in memory makes it very easy to someone with
> > root privs., /proc/<PID>/... shows processes memory, /dev/kmem, and he's
> > done :-)
>
> Er.... so, someone with mallicious intent, a hacker or whoever, is already
> logged into your compromized machine, is already root, and you are
> concerned with KWallet passwords? He can read the raw memory or TCP stack,
> he can intercept the usernames and passwords at any point along the
> transmission chain ( not to mention read the KWallet password right off the
> keyboard as you type it ).  If someone already has root on your box
> KWallet's security is totally useless no matter how you cut it.
See, that's why we have paranoids. And I would like to see passwords being 
stored in memory, scrambled. The same applies to password input controls.

Simple example, plenty of ppl did that already, proving the point. You are 
second user on computer. You start to eat random numbers of memory. At some 
stage, memory of other guy's account get on swap, computer get's slower. you 
kill all your programs, and ask system for swapable only memory, as much as 
you can get. You go through that memory (which is initialised), and search 
for passwords. Thou, as single unprivilidged user, there is a big chance to 
get that passwod. 
I didn't wanted to go to examples like that anywa....
This isn't rare case, this can happend in real world, and happend planty of 
times. That's why some ppl are - as you call them - paranoid, for a reason 
that is clear and valid.


Comment 24 Olivier Goffart 2004-05-28 18:37:02 UTC
> If someone already has root on your box KWallet's security is totally useless 

It is usefull is you consider someone stoling your machine.
If he has the hard-disk, he can read it, but he can't read the kwallet file.

Anyway, there are others tool to keep important file secret.  the kernel support encrypted partitions.

Anyway, even the root can't know the user password. so having KDM opening the wallet is not a bad idea.
And even, we could log in kdm with the kwallet passwrod, and having the unix password stored in the wallet.
Comment 25 Jason Keirstead 2004-05-28 19:35:24 UTC
I think this discussion is getting way off track.

This wish is for option to have the ability to have a totally unencrypted wallet - no password, no kdm, nothing. Just a simple way to store unimportant passwords.

Any wishes for KWallet to use single sign on with KDM do not help solve this wish ( not everyone uses KDM, etc etc ), and should be made in another bug.
Comment 26 Casey Allen Shobe 2004-05-28 22:18:37 UTC
Jason - user-accessible memory and process information is accessible to that user who's account has been supposedly compromised, not just root.

Olivier - any integration with KDM is horrible and bad.  Not everyone uses X11 login, and KDM isn't the greatest as far as *DMs go.  KDM has NOTHING to do with KDE except that oh, it happens to use the same libraries, and that's the way it MUST remain.

Yes, if my machine is stolen, or if my backed-up password file gets stolen, then sure, kwallet provides security.  It does NOT provide any security if one's account is compromised, and he is using kwallet - only a bit of obfuscation (pointless).

Grzegorz - scrambling a password in memory does not make it unreadable.  It's merely obfuscation as well, the same as storing a scrambled password that would otherwise be stored in a file.

Jason - you are correct in that there is no real way to make passwords really secure without prompting for a password every time.  For the paranoid user, I think the best option would be a way to auto-close the wallet after every access, but that's another wishlist item.

However, I do not think wanting a "totally unencrypted wallet" is a valid wish at all, because that makes it impossible for me to backup my wallet onto a floppy kept in a public place, etc. without worrying about all of my passwords being compromised (which I do *NOT* consider unimportant - my bank passwords, paypal password, ebay password, are all stored in the wallet in addition to my IM passwords - moreover anyone with access to that many of my passwords may discover the scheme I use for making up a different password for every service, and even unsaved passwords may be guessed at that point).

Rather, I think the solution to this problem is quite simple.  Make the kwallet setup prompt a lot simpler, something on the order of "Please enter the master password you wish to use to protect all of your other passwords below:" with two inputs, and "okay" and "advanced" buttons.  Make the kwallet password prompt have a "Save Password" checkmark - if this is checked the master password can be stored, scrambled or not, in the kwallet configuration file, NOT the wallet file.  Then if I move my wallet somewhere else, I still need a password to access it.

You don't lose any security this way, and the paranoid user can simply not save his kwallet password.
Comment 27 Dan Bullok 2004-05-29 00:40:33 UTC
--Casey Allen Shobe wrote:
>However, I do not think wanting a "totally unencrypted wallet" is a valid wish
>at all, because that makes it impossible for me to backup my wallet onto a
>floppy kept in a public place, etc. without worrying about all of my passwords >being compromised.

Okay, it sounds like you want this feature (I do too), but your solution is a bit more convoluted than I believe is neccessary.  If you are storing your wallet on a floppy in a public place, it isn't the kwallet developer's responsibility to keep that file safe.  First of all, storing backups of important passwords in public is dumb as hell.  If you need that kind of protection, you need to encrypt it yourself, and not depend on the developer to protect you from a practice that falls so far outside the realm of common sense.  Better yet, find someplace else for that floppy.

You just can't protect people from everything.  Eventually, someone's going to do something stupid enough to invalidate any security precautions the developer takes.  Choosing a "no password" option implicitly tells the developer that they are off the hook for the security of that info.  Insisting that the passwords are safe even if you leave them in a public place is like insisting that a gun manufacturer ensure public safety when you turn off the safety lock and start firing randomly.  It is not the developer's job (especially when the "job" is unpaid) to anticipate all of the stupid things you plan on doing with your data, and find a way to protect you from all of them. 

And I have to take issue with calling this an "invalid wish".  Allowing a blank password is the easiest way to implement the requested feature.  If you NEED better security, then you need either use a kwallet password, or take other  precautions.  I'm not going to simultaneously demand security AND password-less use of kwallet.

If you still think an unencrypted password file is a no-no, imagine the following situation.  Your machine is only used by your immediate family, has no open ports, and is behind two firewalls.  Your house is secure.  Your backups are locked in a safe (or encrypted).  The only passwords you keep in your kwallet are things like kde.bugs.org, IBM developer works, and other websites that will e-mail you your password in plaintext if you ask for it.  Your files are safe from prying eyes, AND you don't EVEN CARE if the passwords are made public.  Just leave it unencrypted, save me some keystrokes and the developer doesn't waste time securing things that don't need to be secured, or that, ultimately, cannot be secured if the user decides to do something batty.  This sounds not only like a "valid wish", but an expedient solution to the problem.

Once I choose to take responsibility for the security of the password file, I don't ever want to see that kwallet password dialog again.  And I'm not going to blame the developer if someone logs into slashdot as me and posts something rude.
Comment 28 Olivier Goffart 2004-05-29 09:53:27 UTC
I feel like if Casey thinks that we want to remove password of all wallets.
No!  we just want to have an _optionel_ password.  If the user want a password, it enter one, if no, it let the Wallet without password.

Personaly, my KWallet does not have password. But the **** dialog continue to ask me the empty password.  I want to allow emty password, and does not ask for empty password.


P.S: About KDM, it's a solution to keep the password encrypted, but continue to insert only one password.   And if the user does not use KDM? never mind, the nortmal popup will show up.
Comment 29 Stefan Gehn 2004-05-29 10:03:04 UTC
And don't forget that KWallet can hold several wallets with different passwords. That way you can have a passwordless kopete-wallet and a secured one for all your website-logins, or however you want to handle it.

It's just about being able to have passwordless-wallets, nothing less and nothing more!
Comment 30 Casey Allen Shobe 2004-05-29 10:48:02 UTC
My point is, that kwallet provides absolutely NO security advantage like everyone likes to believe EXCEPT for making the wallet *file* in and of itself inviewable without a password used as a key to decrypt it.  Any claims of heightened security as a result of using kwallet are simply not true.

What it IS, is a unified interface to the developer, and more visibly a nuisance to the user, which is why this wishlist item exists.  There is value in the common code for the developer, instead of each application using it's own password obfuscating mechanism.  There is NO VALUE in making things more confusing and annoying for the user with false pretenses of better security.  The last few people I've introduced to linux have been so confused when the kwallet dialog appears that they just click cancel.

Olivier - you're making false assumptions of my assumptions.  I never said anything about *ALL* wallets, I said that having a mechanism to save the password for a particular wallet (and not for another) is the ONLY way to get rid of the annoyance (for one particular wallet) without sacraficing the small amount of security benefits that using kwallet provides.  Also, there is absolutely no way that KDM should have anything to do with kwallet.  What happens when a user's password is changed because the security policy requires it to be changed every month?  What happens when the user simply changes his password an a whim?

Dan - 
> If you need that kind of protection, you need to encrypt it yourself, and
> not depend on the developer to protect you from a practice that falls so far
> outside the realm of common sense.

I happen to agree.  But by this argument, why the hell does kwallet even exist?  I was merely pointing out the ONLY advantage it gives, in tradeoff for the pain in the arse it is to the user.

What is the difference between a zero-character password and a saved password?  None at all, except the latter is more consistant with other password prompts and you don't flush the small amount of benefit that using kwallet provides down the toilet.  All of your arguments..."once I choose to use no password"...how is that any different from "once I choose to save my master password"?  It's not.

If you truly don't care about your password security at all, then once again, why are you using kwallet?  Why is it included in kdelibs/base?  Why must users be forced to deal with this annoying thing they don't care about (I certainly don't)?

And no, I cannot choose which wallet various passwords for different websites get stored in.  Konqueror uses one wallet, and that's what I'm stuck with.  I can't store my bugs.kde.org password in one wallet and my bank password in another, but that hardly matters.
Comment 31 Thomas Zander 2004-06-08 19:36:45 UTC
Hmm; I wish I could make a negative vote on this since this wish really is bogus.  If users want this I suggest they use a post-it-note for their master password and put it on the monitor.
Allowing a no-password storage of all data which allows anyone else to post email as you, post in online forums as you and post bank-transfers as you is not to be underestimated.   Think about it; your little-sister thinks its nice to post silly stories on that news-site you are are always on.  You loose all credibility there and have no way to convince people you were not you.

Also consider that electronic passwords and identities stay around for decades.  Sign up for a slashdot account, not try to remove that account; almost no online services allow you to remove an account.  Years after you die all your posts will still be online and readable for the world.

I have no good words for anyone that cares soo little about security and privacy that they actually want to vote for this wish.
Comment 32 Olivier Goffart 2004-06-08 19:55:35 UTC
Thomas, I like your irony

Password that are actualy stored in my wallart are not important. They are often password required to connect to some stupid forums. 

And even, my kwallet is not open for everyone. To read my password, you first need to access my computer.

If store them in the wallet it's mainly because i don't want to type them. But i'm still forced to type the kwallet password :-(

Oh, and finaly, remember there are no need of password to post email as someone else, or to suscribe in forums with your identity.  And theses pratices are generaly condamned by laws.
Comment 33 Malte S. Stretz 2004-06-08 20:04:00 UTC
Currently everybody can send emails in my name anyway as I have stored both the password for my SMTP server and my POP account in my kmailrc.

Or somebody with access to my box can dd my swap partition, take it home and look for password strings. The following article was recently posted to The Site You Mentioned: http://www.newscientist.com/news/news.jsp?id=ns99995064
Comment 34 _ 2004-06-08 20:17:28 UTC
I'd like to see KWallet linked to the user account so that the user login also means kwallet login.
Comment 35 Jason Keirstead 2004-06-08 20:18:02 UTC
Also, KWallet can handle many wallets. You could make an unencrypted passwords 
for your 99% of unimportant stuff, and an encrypted wallet with your bank 
password and other stuff if you want.

There's really no reason we should be forcing encryption on the user, just 
because some of us are paranoid.

Comment 36 Stefan Gehn 2004-06-08 20:24:47 UTC
one important thing some people seem to miss:

KWALLET IS NOT SECURE AT ALL!

It is just a way to hide your passwords a bit, it's unimportant if I do this in kwallet or if I encrypt it manually with some stupid thing in every single application, it's just easier for developers and users because they both have one central place for it.

If you really want security then you shouldn't store ANY passwords on your computer.
Comment 37 Grzegorz Jaskiewicz 2004-06-08 20:48:08 UTC
Going further, Stefan. I agree with you, and even further, I already proffed 
that even typing in password in konqy or whatever can leave it on swap, and 
can be intercepted by someone who got access to your computer :-)

But wallet is suppose to increase security, and that's what we are talking 
about. We agree that security means for us, that passwords are not stored as 
plain text on HD, and we require some kind of key to unscramble them, even if 
that key is stored on HD without password.

--
GJ

Comment 38 Jason Keirstead 2004-06-08 20:51:02 UTC
On June 8, 2004 03:24 pm, Stefan Gehn wrote:
> KWALLET IS NOT SECURE AT ALL!
> It is just a way to hide your passwords a bit,

And of course this is also true. The passwords are still in plain text in 
memory and in the swap file. 

Also, the only extra protection KWallet even pretends to provide above UNIX 
file permissions  is incase someone somehow hacks into your machine / steals 
it, they don't have your passwords. But if they have the ability to do this, 
they also have the ability to install a software or hardware keyboard grabber 
to get the passwords anyways.

So at most, KWallet provides an *illusion* of security.

Comment 39 George Staikos 2004-06-08 21:09:41 UTC
On June 8, 2004 14:51, Jason Keirstead wrote:
> And of course this is also true. The passwords are still in plain text in
> memory and in the swap file.
>
> Also, the only extra protection KWallet even pretends to provide above UNIX
> file permissions  is incase someone somehow hacks into your machine /
> steals it, they don't have your passwords. But if they have the ability to
> do this, they also have the ability to install a software or hardware
> keyboard grabber to get the passwords anyways.
>
> So at most, KWallet provides an *illusion* of security.

   It only provides "at most an illusion of security" if you only consider the 
cases that you outlined.  You should read the paper at least to learn more 
about it.  In particular, I travel with my laptop.  If I lose it, I can have 
a high degree of confidence that my passwords won't be stolen.  I couldn't do 
that before when I was using a text file.

Comment 40 Jason Keirstead 2004-06-08 21:37:15 UTC
On June 8, 2004 04:09 pm, George Staikos wrote:
> In particular, I travel with my laptop.  If I lose it, I
> can have a high degree of confidence that my passwords won't be stolen.
> I  couldn't do that before when I was using a text file.

This is only true if you take the time to randomize the contents of entire 
swap file every time you log out of the laptop.

Also, you do have to consider that if you just took into account the # of 
users, KDE desktop users probably outnumber laptop users by a huge margin.

I think we can all agree that the point of the bug ( the ability to have an 
unencrypted kwallet ) is extremely valid. Many / most people just simply do 
not care about the security of these passwords, since they do not commit 
important passwords to disk anyways.

Comment 41 George Staikos 2004-06-08 21:52:52 UTC
On June 8, 2004 15:37, Jason Keirstead wrote:

> On June 8, 2004 04:09 pm, George Staikos wrote:
> > In particular, I travel with my laptop.  If I lose it, I
> > can have a high degree of confidence that my passwords won't be stolen.
> > I  couldn't do that before when I was using a text file.
>
> This is only true if you take the time to randomize the contents of entire
> swap file every time you log out of the laptop.
>
> Also, you do have to consider that if you just took into account the # of
> users, KDE desktop users probably outnumber laptop users by a huge margin.
>
> I think we can all agree that the point of the bug ( the ability to have an
> unencrypted kwallet ) is extremely valid. Many / most people just simply do
> not care about the security of these passwords, since they do not commit
> important passwords to disk anyways.

   I think it's worth implementing, and one day maybe I will implement it.  I 
did start once but there were some subtle complications to work out first.  I 
just find it amusing how long the thread is going after I said I would 
implement it.

Comment 42 Francisco 2004-08-02 17:52:06 UTC
I think this is a very important addition to kwallet, currently I choose not to use it because of this annoyance.
But of course you should have this as an option.
Comment 43 Tiago Freire 2004-09-15 21:49:58 UTC
I have already voted, but decided to add a 'me too' comment in the thread. I think of the following, most of which might have been ehxaustively beaten out in the thread:
1) passwordless kwallet
and/or
2) kwallet and kdm as a single thing 
2.1) integrate kwallet with kdm
or 
2.2) deprecate kdm and add features to kwallet for it to be THE login,
and/or
3) making kwallet password and system password a single thing,
which would make 1) happen

or something else. whatever.
Comment 44 Jason Keirstead 2004-09-16 00:22:59 UTC
KDM and KWallet shouldn't be integrated for several reasons.

1. Not everyone uses KDM. You need to be able to use KWallet without KDM.

2. KDM can't use KWallet for authentication since it needs to
authenticate against the system and the system knows nothing about
KWallet

3. KWallet's encryption is arguably much stronger than the encryption
used in most logins, so using KDM as it's authentication would be
making it weaker with no benefit.

4. If you have an option to use KWallet without a password (as said in
this bug), then there is no need for any integration at all with KDM,
since a passwordless KWallet is nearly the exact same thing in terms
of security (if you can crack the system password you have access
to the data)

The solution to this bug is very simple - provide an option for a passwordless wallet, that just uses the old string obscuring method KMail used for "encrypting" passwords.
Comment 45 Olivier Goffart 2004-09-16 08:54:21 UTC
Jason, are you forced to repeat yourself every comments ? cf Comment #13)
KDM and KWallet integration could be of course optional.  KDM could open the kwallet to get the user's login password.
An option to have a Kwallet without password is IMO needed.  But an additional option to integrate KDE and KWallet would be for more security.
Comment 46 Thomas Zander 2004-10-31 20:30:01 UTC
Did anyone think about authenticating via kwallet _before_ KDM and provide username/password to kdm from the wallet?
This is (can be made to be) totally secure and makes the complaint for double logins null and void.  And for the ones not using KDM (which distro does not ship KDM by default?) make sure these *DMs allow this too.  Its not really a dependency on kdelibs; only on one API of kwallet.

Oh; the most obvious solution (the one I use) is to not shutdown your machine every night.  Now you only need to type your password every 2 months or so :)
Comment 47 Michiel de Bruijne 2004-10-31 20:44:28 UTC
I don't even want to login in kdm manually. I have enabled automatic login. I just want a password manager to remember my passwords like any other browser. I'm not working at the NSA, I just want more usability.
Comment 48 _ 2004-10-31 21:34:35 UTC
I think one password is enough for everything on a home machine!
Comment 49 Olivier Goffart 2004-10-31 22:15:08 UTC
If you don't have KDM, no problem, KWallet fall back to the old system and ask a second password.

(Anyway, i still think a non-secure kwallet with no password should be possible)
Comment 50 Steve Walesch 2004-10-31 22:26:12 UTC
As far as I see most people seem to be a bit pissed off by the fact that you have to enter the password (and so am I). Please implement a feature which does not prompt for the password, and implement it as securely as possible. The method described by Thomas Zander (Comment #46) seems quite interesting to me.
Comment 51 _ 2004-10-31 22:51:43 UTC
It starts to piss people off when they _always_ have to enter a password, like when they're using the KDE IM client Kopete. This might prevent people from using the program at all.
Comment 52 Michiel de Bruijne 2004-10-31 23:02:38 UTC
Correctomundo, I have Kopete in my Autostart and therefor disabled kwallet, because I hate the mandatory login. It's such a shame because kwallet is fantastic without this enforcement.
Comment 53 Sebastien 2004-11-02 01:21:27 UTC
I too would want to don't have to type any password more than the login one.
And because I don't have any ultra secret data on my PC, I have even activated NO password on KDM autologin.

I liked the Firefox (and Mozilla) password manager where we don't have to enter any password for everything.
I too haven't assigned "master password", that's just so bad...

Would want to find back the pleasure of the password manager of Firefox, since I now switched to Konqueror.

Please !
895 votes.
Oh no, 915 with mine :-)
Comment 54 George Staikos 2004-11-06 12:47:51 UTC
CVS commit by staikos: 

Add support for insecure wallets as requested.  Crackers around the world
rejoice!

FEATURE: 78505


  M +1 -0      kio/misc/kwalletd/Makefile.am   1.6
  M +22 -13    kio/misc/kwalletd/kwalletd.cpp   1.76
  M +4 -6      kio/misc/kwalletd/kwalletwizard.ui.h   1.6
  M +7 -16     kwallet/backend/kwalletbackend.cc   1.55



Comment 55 _ 2004-12-24 18:08:12 UTC
I still think some kind of KDM/KWallet password combination would be nice, e.g. you log into KWallet which contains your linux password, and KDM then logs in.
Comment 56 Gilles Schintgen 2005-02-11 16:58:59 UTC
Just a note for those interested in Single-Sign-On (which would solve the password problem in a more elegant and secure way): have a look at Bug 92845.
Comment 57 Roland Schulz 2005-09-11 16:28:48 UTC
*** Bug 102465 has been marked as a duplicate of this bug. ***
Comment 58 Kamil Neczaj 2008-09-19 02:52:46 UTC
I'm also in favour of pam. There are applications in kde such as kopete, kmail, as someone said knetworkmanager, all of them require kwallet to be opened. Let's assume that the user uses only kde application. He starts KDE after a while Kopete or KNetworkManager wants to open kwallet. These applications are running through whole KDE session so the wallet is always opened. Now, the user must type two passwords (or even one but two times). He is really irritated because if he used pidgin or psi instead of kopete he wouldn't type password the second time. The same with KNetworkManager, if he didn't use it and manually configure his network, he mustn't type the password twice. So the user has always opened kwallet. Isn't it unsecure? I really wouldn't care about that kwallet is open or not. The kwallet should be secure even when it is opened. I'd rather care about that one application has access to password of others. The user really shouldn't be able to read passwords from kwallet using "Wallet Manager". Every application should have it's own wallet and have permissions only to this one. KWallet simply shouldn't inform applications about passwords which aren't in their wallets. For egzample if application is called "kopete" it can only use "kopete" wallet. 
At this point emerges the problem of applications prepared to steal passwords which simply imitate the proper ones. It also can be solved, by naming wallets with full path to application. The applications in system directories cannot be replaced by others because it needs root access.

Egzample:
1. Kopete tries to read our password from kwallet
2. The kwallet checks kopete's egzecutable file name and path to it.
3. Kwallet has got that file /usr/bin/kopete tries to read password from it's wallet.
4. It allows /usr/bin/kopete access only to "/usr/bin/kopete" wallet.

Wallet Manager shouldn't provide functions to read all password from one place!!! Now, using Wallet Manager even begginer can easy read all passwords when kwallet is open!!!

I have also two questions about kwallet subsystem:
1. Open kwallet stores unencrypted passwords in RAM, right?
2. So is it true that advanced user using proper software can read the passwords directly from memory if kwallet is running with privilages of the same user? 

If the answers to above questions are "yes", maybe it is better to run kwallet as a deamon with root privilages. The common user hasn't privilages to read memory reserved by programs run by root so he cannot read even the unencrypted passwords. If the solution with deamon is most secure the wallets should be called according to scheme: "/usr/bin/kopete:1001", where 1001 is UID of user whose passwords are stored in the wallet.