Are saved passwords encrypted?



  • Clearly more work needs to be done to improve saving and viewing saved passwords in Vivaldi. Something like Firefox with a master password would be good. Meanwhile, how exactly are passwords saved? Are they encrypted or saved as plain text in a database?



  • They are encrypted.



  • @Gwen-Dragon:

    They are encrypted.

    How do you know that? As far as I know Chrome passwords are not encrypted, it can't be, because there is no master password to unlock the encryption.



  • Although it might be encrypted, it can be easily decrypted by any program run as your user account.
    Both Opera 12, Firefox and Chrome has a "Master Password" option for added security.



  • That does not work in terms of security. Security by obscurity does not work.

    Any malware or virus hitting your browser with Chrome can actually read your logins.

    I think it's a bad idea to have something like this running in a browser. Its best to use a password manager which is separated and can be encrypted.
    Chrome makes passwords actually very insecure:
    http://blog.elliottkember.com/chromes-insane-password-security-strategy

    http://www.theverge.com/2013/8/7/4597018/google-chrome-saved-browser-passwords



  • Can we have a response from the Vivaldi developer responsible for security?



  • @terere Sorry, but the articles about Chrome from 2013 are not related to current password database. In Chrom* the current passwords can only be seen if you enter your OS user account password.

    But i agree, the password database should have a extra masterpassword and encryption of database not bound to user's account.



  • Gwen, that is completely useless then.

    If you hit a malware page, it will infect the system with what ever account you are running the browser at that time, so it will be able to read the passwords. Same if you download a virus or get infected any other way, if your user account can read them, them every other program and software in your system can, even other non browser softwares can read them. If you search for it, there are even password readers for Chrome to turn them into plain text. This is why I think its completely useless. At least Firefox has a master password, nothing can read the data unless you unlock it. This is similar to password managers, but its still very bad because you would unlock them to use your browser and it would stay unlocked all the time.

    Granted, you would probably do the same with a password manager, but the difference there relies in the fact that since its running as a independent software in your system from the browser, malware hitting your browser can't attack it directly, it would had to be an attack at the OS level which is harder to do. If the password manager is linked to the browser, they can try to access it by exploiting something directly in the browser tab, hence why I think it's a bad idea and this is why Google did not bothered to make their password manager safer because they actually explain there is no way to secure it if its running in the browser. Not at least in a way that it will be usable for what people want which is filling logins.

    If you really want to have something at least a bit more secure, you would not use a password manager build into your browser. Form data filling is fine, for non sensitive data like filling up your name, street, others. But you don't want your browser to auto fill passwords by its own, since it's an easy attack target, any crafted page with the correct malware will trigger to dump your password into them without your interaction and since exploits are found all the time on browsers nobody should feel comfortable with something like this.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.