Did Vivaldi/Chromium change how passwords are stored in Login Data?

Pathduck

I've been using the Nirsoft tool ChromePass to examine passwords and doing occasional exports for backup purposes.

However I've noticed now it's stopped being able to decrypt some of the passwords, they just show as blank, while username/URL and so on show. For example I have 130 passwords saved, but ChromePass only shows 47 of these.

NirSoft has two more tools that do the same thing, WebBrowserPassView and DataProtectionDecryptor, these also rely on the Windows API to decrypt passwords, and they show the same issue.

So I'm wondering if Vivaldi/Chromium has changed something lately in how passwords are stored? The issue seems to be in both latest Stable and Snapshot.

I'm not able to see any pattern in terms of creation date, site or complexity in what passwords are shown or not.

EDIT: I just tested with exporting passwords, deleting all, then importing, and now none of the passwords are shown in ChromePass. So something's definitely changed in the way it saves passwords...

greybeard

Agreed.
The Import/Export flag has been removed from Chromium.

Please see the following Forum conversation and links for more info.

[EDIT] A few quick tests.
Opening the saved CSV file in Libre Office Calc, some record's fields were jumbled and/or duplicated.
Opening the saved CSV file in Nirsoft's csvfileview, everything appeared OK (?!)
From csvfileview you can Select All and Save Selected as .txt, .csv, *XML or *.JSON.
Hope this helps.

Pathduck

@greybeard Thanks for the reply. However this is not related to the export of passwords into plain CSV, this is related to applications using the Windows decryption API to decrypt the passwords.

EDIT: I did some digging around, and it appears the file "null" in the profile folder is involved. I'll try to delete it and see what happens.

greybeard

@Pathduck I just did a quick test with ChromePass. The output is no longer the same as previously so I suspect you are correct.
A letter to the developer may be in order.

Pathduck

@greybeard Yes, I've already emailed Nir about it, will be interesting if he replies.

greybeard

@Pathduck Nir does not reply, in my experience. He will modify the app to work properly and may write a blog post about the subject.

Pathduck

I got a reply from Nir:

There is a change in the encryption of passwords starting from Google Chrome 80 (Currently still in Beta >
Maybe it's the same change on Vivaldi.
I still don't know how the passwords are encrypted on the new version, it requires some research.

So I guess we'll have to wait and see. Not that I use the tool all the time, but it's indispensable when I need it.

Pathduck

Update on this one - Nir released version 1.50 of Chromepass:

Added support for the new password encryption of Chromium / Chrome Web browsers, starting from version 80.
https://www.nirsoft.net/utils/chromepass.html

I just tested and it's back to working

Pathduck

Another update. I asked Nir about what changed and got the reply:

"Instead of encrypting every password with DPAPI, they encrypt the passwords with AES-256, and the AES encryption key is encrypted with DPAPI and it's stored inside the 'Local State' file."

So AES-256 is really strong so that's good I guess.

What's slightly troubling is that Vivaldi keeps its "Local State" file outside the actual user profile.

For instance the file is in:
%localappdata%\Vivaldi\User Data

But the actual user profile is in:
%localappdata%\Vivaldi\User Data\Default

It's troubling because I've always thought that to backup you only needed the actual user profile folder (Default in this case), while the rest in User Data would be recreated on startup. Not a big deal but might cause some issues unless one's aware of it.