Windows - Vivaldi accounts & passwords



  • ModEdit: topic title changed from:
    Vivaldi accounts & passwords are visible and copiable in Windows to [[ Windows - Vivaldi accounts & passwords ]]



    This may have been discussed before, if so, I apologize. With Nirsoft's ChromePass displays my accounts + passwords of Vivaldi. I don't have Chrome or Chromium installed. On the other hand when Firefox passwords is locked with a master password, a similar utility PasswordFox, shows the location url but the not the passwords.


  • Moderator

    Hello there,

    I am sorry for not getting your point.



  • @lamarca There is insufficient protection.



  • @ineuw
    Hi, Chromium browser use Windows encryption for passwords.
    If you are logged in it is easy to read the passwords, check from a different user account.
    Vivaldi does not have a master password system but there is a feature request about, search for it and vote for it.

    Cheers, mib


  • Moderator

    @ineuw Thanks for confirming.
    I will ping someone on Monday and let you know.



  • @mib2berlin, an interesting point. But, for a single user desktop to test this means creating a "User" level account because Admin accounts can look into each other's folders. Then, another Microsoft account needs to be created if that is possible, this being Windows 10, and then with access to Nirsoft software. Then, another Vivaldi profile needs to be configured.

    It would be much easier if the passwords are not displayed at all.



  • @ineuw
    Hi, I am not sure bit I think Admin can open folder but cant see the passwords in clear text of a regular user. I will test this later on my Windows 10 system.
    Really interesting question. 🙂

    Cheers, mib



  • @mib2berlin to see what I meant, download nirsoft's tools package. No installation is necessary.



  • Yes, it's true that the tool ChromePass allows you to open the Vivaldi password file and look at the saved passwords. I actually use it to export my passwords from time to time, in case Vivaldi Sync goes tits up and loses everything ... 😛

    Vivaldi has inherited the way Chrome does it, and encrypts the passwords in "Login Data" using the Windows API. This means to see the passwords you need to have the credentials of the current user to decrypt them, and is relatively secure as long as the account is not compromised...

    https://null-byte.wonderhowto.com/how-to/grab-all-passwords-0163301/
    https://null-byte.wonderhowto.com/how-to/hacking-windows-10-steal-decrypt-passwords-stored-chrome-firefox-remotely-0183600/

    https://docs.microsoft.com/en-us/windows/win32/api/dpapi/nf-dpapi-cryptunprotectdata
    https://docs.microsoft.com/en-gb/windows/win32/api/dpapi/nf-dpapi-cryptprotectdata

    Typically, only a user with logon credentials that match those of the user who encrypted the data can decrypt the data. In addition, decryption usually can only be done on the computer where the data was encrypted. However, a user with a roaming profile can decrypt the data from another computer on the network.

    If the CRYPTPROTECT_LOCAL_MACHINE flag is set when the data is encrypted, any user on the computer where the encryption was done can decrypt the data.

    Since the ChromePass tool is run as the correct user, it can easily create a session key to decrypt all the passwords in one go. It doesn't even need you to type a password, as a session key is easily obtained by any program running in the current session.

    Basically the way Vivaldi asks for the user password to show a stored password is just "security theatre". The only thing it accomplishes is making it harder for the actual user to see their own stored passwords.

    And let's just hope Vivaldi does not use the CRYPTPROTECT_LOCAL_MACHINE flag...

    Using a master password may seem a better solution, but it still won't stop an attacker who already has access to the local user account. They could just install a keylogger, and wait for the user to type the master password 😉

    If the location of the password file is secured by proper OS access permissions, it should be safe enough, anything else on top of that is just for show.

    The rule of thumb is if anyone else has access to your login account, you can just throw any notion of security out of the window. Never let anyone else use your account.



  • Hi, I tested with a new user and start Nirsoft ChromePass from my Admin account with Admin rights.
    You cant read the passwords but user name, account, and some more.
    Password field is blank.

    Cheers, mib



  • @Pathduck. Thank you. It makes complete sense. I needed confirmation from a good source like yourself. Also realized that the software can only check profiles in the user's own environment, unless the user is an Administrator.



  • @mib2berlin said in Windows - Vivaldi accounts & passwords:

    Hi, I tested with a new user and start Nirsoft ChromePass from my Admin account with Admin rights.
    You cant read the passwords but user name, account, and some more.
    Password field is blank.

    Cheers, mib

    @mib2berlin, does this mean that Admin1 could not see the passwords in the Admin2 account? If it's so, then there is no issue.



  • @ineuw said in Windows - Vivaldi accounts & passwords:

    does this mean that Admin1 could not see the passwords in the Admin2 account? If it's so, then there is no issue.

    Yes - they won't be able to see each other's passwords in ChromePass, even if they can access the "Login Data" file.

    However, an administrator should pretty easily be able to log in as the other user, and then generate a session token to run ChromePass with. By definition, an Administrator account has access to everything, and there's no protecting yourself from a skilled admin intent on finding something 😉

    One drawback of the Vivaldi/Chrome method using the Windows API, is that you can't just migrate your Vivaldi profile+passwords to another machine, or reinstall the OS, without also losing your saved passwords, as they are encrypted by the current user ID/machine combination.

    Firefox with a master password does make it possible to just copy the user profile to another machine, since the master password is saved in the profile too. Whether that's better or not depends on how you look at being able securely copy the files from one machine to the other 😉

    I don't know the specifics on how Vivaldi Sync handles this. I assume the passwords are first decrypted using the OS method, and then encrypted with your Sync password during transfer to the Vivaldi Sync server.



  • @ineuw
    As @Pathduck mention, no access to the second user passwords (was regular user not admin).
    @Pathduck how can I log in to another user account, even with admin account?
    If I sit in front of the system I can easily delete all windows passwords and log in to every account but then it is to late anyway. devil

    Cheers, mib



  • @mib2berlin said in Windows - Vivaldi accounts & passwords:

    @Pathduck how can I log in to another user account, even with admin account?
    If I sit in front of the system I can easily delete all windows passwords and log in to every account but then it is to late anyway.

    Exactly, just change the user password and log in as them. Of course, hard to do without the user noticing their password has been changed, but by then the damage is already done 😉

    Windows not being a true multi-user OS like Linux an admin is kind of limited. For instance, you need the password of the user to run commands as them. But pretty sure there's ways around that as well...

    On Linux you can just do a su - username as root to change user and possibly decrypt the passwords from there.



  • @Pathduck
    That is the reason I am on Linux except testing such behaviors.

    Cheers, mib



  • @mib2berlin Linux does things simply and elegantly, but then it has its own numerous issues from an average user's standpoint. However, this topic does not belong in this thread.


Log in to reply
 

Looks like your connection to Vivaldi Forum was lost, please wait while we try to reconnect.