Bug 466494

Summary: Is the KWallet is insecure?
Product: [Applications] kwalletmanager Reporter: Piotr Mierzwinski <piotr.mierzwinski>
Component: generalAssignee: Valentin Rusu <valir>
Status: RESOLVED NOT A BUG    
Severity: normal CC: mk.mateng, nicolas.fella, piotr.mierzwinski
Priority: NOR    
Version First Reported In: unspecified   
Target Milestone: ---   
Platform: Neon   
OS: Linux   
Latest Commit: Version Fixed/Implemented In:
Sentry Crash Report:

Description Piotr Mierzwinski 2023-02-26 23:04:43 UTC 
SUMMARY
In forum of "unix.stackexchange.com/" I found opinion that KWallet is insecure. Let me quote:
"(Note: KWallet is both annoying as well as insecure, as it allows any app to request full access to all passwords stored in a wallet once that wallet is open...)"

I wonder if that's true?

Here please find the source above statement:
https://unix.stackexchange.com/questions/420497/how-do-i-stop-kwallet-from-asking-my-password-to-let-the-system-connect-to-wifi

SOFTWARE/OS VERSIONS
Linux/KDE Plasma: 
(available in About System)
KDE Plasma Version: 5.27.80
KDE Frameworks Version: 5.104.0
Qt Version: 5.15.8

ADDITIONAL INFORMATION
OS: Neon Unstable Edition
Comment 1 Nicolas Fella 2023-02-27 11:28:59 UTC 
It's true that any program can request any password from a open wallet. KWallet was never designed to prevent that, because it's somewhat impossible to do. It would require that apps can be uniquely identified and can't "impersonate" another app, which isn't possible in the traditional Linux world.

That doesn't mean KWallet is useless though. The primary thing it prevents is storing passwords in plaintext on the disk so that they can't easily be read if someone has physical access to your computer, e.g. by stealing your laptop
Comment 3 Piotr Mierzwinski 2023-03-01 23:16:10 UTC 
(In reply to Nicolas Fella from comment #1)
> It's true that any program can request any password from a open wallet.
> KWallet was never designed to prevent that, because it's somewhat impossible
> to do. It would require that apps can be uniquely identified and can't
> "impersonate" another app, which isn't possible in the traditional Linux
> world.
> 
> That doesn't mean KWallet is useless though. The primary thing it prevents
> is storing passwords in plaintext on the disk so that they can't easily be
> read if someone has physical access to your computer, e.g. by stealing your
> laptop

Yes, but If in my PC will appear malware/ malicious software then will be able to get the password. Am I right?
Comment 4 michaelk83 2023-03-02 10:08:58 UTC 
(In reply to Piotr Mierzwinski from comment #3)
> Yes, but If in my PC will appear malware/ malicious software
> then will be able to get the password. Am I right?

It's generally the same with other password managers (with small differences). Some vulnerabilities are very difficult to protect against without deeper support at the OS level. If you get malware on your PC, it's potentially game over, depending on how bad the malware is. Your best bet is to not leave the wallet open more than you need to, use a long passphrase for the wallet (it's easier to remember than a password), and do what you can to protect yourself from getting infected with malware.

The password managers are there to make it as difficult as possible to gain access to your accounts, while allowing you use more secure passwords and still manage them relatively easily. They can't protect you entirely from all threats on their own.