Seahorse and clear text passwords: a proposal for a pragmatic solution



Hello everyone,

First of all allow me to express a big THANK YOU for all the hard work you guys put into making gnome one the best desktop environments out there.

But even the best can be improved. You are probably aware there is some controversy over the fact seahorse allows a user to view clear text passwords without any authentication. There is a 300+ post on the topic on the ubuntu forums which I would advice you not too read unless you're terribly bored and like reading circular arguments about car analogies. Instead, let me try and summarize the relevant arguments I have been able to find, and humbly propose a solution.

People defending the current implementation have a few valid arguments. They claim hiding passwords that reside on disk unencrypted does not add real security, only perceived security. They argue such false sense of security ("security theatre" seems to be the popular phrase) actually diminishes security and users should be taught to lock their screens instead. They also argue physical access =  root access anyway, and apps like pidgin store passwords in clear text by design for the above reasons. Some add more nonsensical arguments that I will spare you.

People who object to the current implementation (which includes yours truly) argue that the current implementation makes it far too easy for anyone even with no computer skills to obtain someone's identity. It takes less than 10s to click a few menu's and reveal someone's wifi or email password, which is a great security breach (far more than just being able to read emails while the owner is away from his screen). Locking the screen is a good habbit but in real life people will not always do this, and even a screensaver / auto lock is not a good solution as that would take several minutes during which a curious collegue could grab your mouse in your absense and obtain your passwords without you ever knowing.

Now, I can  appreciate the philosophy of not giving false sense of security and security through obscurity is not a solution either.  Requiring a password to view clear text passwords stored in the keyring does not protect a user from more sophisticated attacks and could indeed increase the perceived secuity. Therefore I would suggest a pragmatic solution that I think should satisfy everyone. I would suggest passwords in seahorse are not visible without re authentication of the user, but at the same time I would use the password dialogue box to warn the user that despite this authentication request, his passwords are NOT secure or encrypted as long as he is logged in, and he should lock his screen and/or close the keyring to avoid identity theft.

To me this sound like a fairly simple solution that will render identity theft by regular desktop users a whole lot less likely, while at the same time educating the user how to protect himself from more skilled potential identity thieves who know how to install a keylogger or where to find on unscramble stored passwords. It secures users against the majority of potential identity thieves, it provides no false sense of security (quite on the contrary) and it educates the users. Everyone wins :)

I hope you will consider this solution,

Bob.











[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]