Re: encryption has nothing to do with password?



On Thu, 20 Nov 2014, Stef Walter wrote:

On 14.11.2014 23:10, Weiwu Zhang wrote:
Yesterday a friend took my old harddisk and mounted /home on his PC,
and configured a new user with same username with a simple password
"123456", and login. He can see all my files (expected) and have
access to my seahorse stored passwords (surprise).

That's very strange and unexpected.

The only thing I can think of is that you created your login keyring or
login account without a password. When you do this, the keyring is not
encrypted. You can check this by trying to open up the keyring file in a
text editor. If it's not encrypted you should be able to see the contents.

Thanks for the clear info!

I found that in my login.keyring:
1) all field names are in clear-text, like date_created, signon_realm, username_element.
2) all values are binary blobs.

Is this encrypted or not? I do have to type login password everytime computer starts in order to access login.keyring.

I assume it is not encrypted, because the clear-text part reveals the number of passwords (in my case 155 passwords). A security professional won't reveal even this information in an encrypted dataset.

For the purpose of comparision, I created a new keyring using a new password, and in it I stored a customized password entry. Then I check the keyring file resulted, it has no clear text except the name of the Keyring and the file's magic - that is, field names are not clearly visible. So it infers that my login keyring (with field name in clear text) are not really encrypted. Next task is how to encrypte it. 155 passwords are too much for keyboard reëntry.

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]