SUMMARY KWallet, when open, allows, via the guy, to see all passwords in plain text. I understand this "normal", since the wallet is open, but given the number of applications using the wallet, it means it will *always* open. I would say that at least at the guy level, kwallet should ask the user password before showing the passwords in plain text, when clicking the "show password" button, as a basic security measure. Let me point out that this kind of security measure is already implemented when changing KWallet's settings. In this case, before applying a change, the user's password is required. STEPS TO REPRODUCE 1. Simply open KWallet 2. Choose any folder 3. click the show password button OBSERVED RESULT The password is immediately shown in plain text, without first asking the current user's password. EXPECTED RESULT KWallet should first confirm the operation by asking the user's password. SOFTWARE/OS VERSIONS Linux/KDE Plasma: Fedora 35 (available in About System) KDE Plasma Version: 5.24 KDE Frameworks Version: 5.90.0 Qt Version: 5.15.2 ADDITIONAL INFORMATION I understand a solution would be to close the wallet, or let it close after a certain period, but this would bring back the well-known annoyance of KWallet popping up every 5 seconds asking for a password, and this is something I am really trying to avoid.
As you mentioned, your wallet has a master password and if you “Close” the wallet in the GUI at the top before closing KWalletManager itself, it will prompt for the master password of the wallet when you open KWalletManager again. This comes at the inconvenience of re-entering the password to reopen the wallet. Just my two cents, but I really don’t think this is a bug. It’s the same as if you store your passwords for autofill in your web browser, you can access the list in the web browser settings in plain text as long as the user is logged into the computer normally. If a user has to enter their password to open KWalletManager alone, do they then have to enter the password to the wallet right after? Seems like a bit of a pain to me, but I do get it from a security perspective. This is an interesting one and I’m interested to see what others think. This is KDE, perhaps introduce a switch in the KWalletManager settings so users can choose to prompt for password when it opens or not, that way everyone is satisfied :) (In reply to Marco from comment #0) > SUMMARY > KWallet, when open, allows, via the guy, to see all passwords in plain text. > I understand this "normal", since the wallet is open, but given the number > of applications using the wallet, it means it will *always* open. I would > say that at least at the guy level, kwallet should ask the user password > before showing the passwords in plain text, when clicking the "show > password" button, as a basic security measure. > Let me point out that this kind of security measure is already implemented > when changing KWallet's settings. In this case, before applying a change, > the user's password is required. > > > STEPS TO REPRODUCE > 1. Simply open KWallet > 2. Choose any folder > 3. click the show password button > > OBSERVED RESULT > > The password is immediately shown in plain text, without first asking the > current user's password. > > EXPECTED RESULT > KWallet should first confirm the operation by asking the user's password. > > SOFTWARE/OS VERSIONS > Linux/KDE Plasma: Fedora 35 > (available in About System) > KDE Plasma Version: 5.24 > KDE Frameworks Version: 5.90.0 > Qt Version: 5.15.2 > > ADDITIONAL INFORMATION > I understand a solution would be to close the wallet, or let it close after > a certain period, but this would bring back the well-known annoyance of > KWallet popping up every 5 seconds asking for a password, and this is > something I am really trying to avoid.
In fact, Firefox has a master password that if you choose to use, when you try to access the passwords stored for each website, firefox will first ask you the master password before showing them to you. This *always* happens, even if you have unlocked firefox on first launch with the master password. This is the kind of behaviour I would have expected from KWallet, to help reduce obvious passwords leaks.
(In reply to Marco from comment #2) > In fact, Firefox has a master password that if you choose to use, when you > try to access the passwords stored for each website, firefox will first ask > you the master password before showing them to you. This *always* happens, > even if you have unlocked firefox on first launch with the master password. > > This is the kind of behaviour I would have expected from KWallet, to help > reduce obvious passwords leaks. P.S. and by "try accessing" I mean via the browser settings page. When you try to use the password on the website it was stored for, you are not asked again ad again for the master password.
This is a common issue with many password managers. From what I've read, it's often considered not worth addressing (or rather, barking up the wrong tree) by security people. It's only an issue if someone gains physical access to your PC with an unlocked session. In which case, they can gain access to the passwords by a variety of other ways, and do a lot of other damage. So just hiding the passwords visually becomes quite pointless, and gives a false sense of security. > When you try to use the password on the website it was stored for, > you are not asked again ad again for the master password. This is one easy way to circumvent such hiding. The unauthorized person can simply copy-paste the password from the website form (or worse, gain access the website account). The recommended solution is: 1. Set auto-locking of the keyring/wallet after some short period, so that your passwords are actually protected. 2. Set auto-locking of the session after some short period, to protect against other possible attacks, and set the keyring/wallet to auto-lock when the session is locked. 3. Always lock your session when you leave your PC. Don't leave your PC unattended with an unlocked session. (The auto-locking is there in case you forget, but you should make this a habit.) > I understand a solution would be to close the wallet, or let it close after a certain period, > but this would bring back the well-known annoyance of KWallet popping up every 5 seconds > asking for a password, and this is something I am really trying to avoid. There's always a trade-off between security and convenience. You can set the lock timeout a little longer.
*** This bug has been marked as a duplicate of bug 147873 ***