Senior Member
Some people™ would consider it a usability bug.
Senior Member
Automatic unlocking of KWallet at login is almost as insecure as storing passwords in plaintext: https://bugs.kde.org/show_bug.cgi?id=92845#c129Originally Posted by ChrisXY
If one does not want to be bothered by KWallet authentication requests, simply set no KWallet password and KWallet will silently open in the background when needed.
Senior Member
If I have no password set, anyone with physical/root access can open it, even if I'm not logged in, right?
If I have a password set but it is the same as my login passwort an attacker would need me to be logged in.
The problem is: I first type my password in the login manager and then immediately after that korganizer requests the kwallet passwort to sync the google calendar. Or maybe networkmanager needs the password for the wireless lan.
Gnome/gdm can do it. KDE can't. There were some patches floating around somewhere doing something with pam but nobody bothered to implement it in kwallet directly because ksecrets/ksecretservice would be replacing kwallet anyway.
Senior Member
If the KWallet password is automatically the same as the user login password, anyone with physical/root access can simply change the user password or alternatively plant a script that reads the contents of KWallet right after login.
If you are concerned about people having physical access to your PC, go full-disk encryption instead.
Senior Member
The kwallet password is the same as the login password, but separately set. It could just work together that for this case one only needs one login and changing the user password would not touch kwallet's password.
How is that much worse than a script that just waits for kwallet to open and reads it then?
Senior Member
The longer a script has to sit and way, the higher the chance of detecting it.
And even if it was not worse: I see no point developing a KWallet feature that is not superior to the current way.
Again: If you are concerned about strangers with physical access to your PC, use full disk encryption.
Phoronix Member
Please correct me if I'm wrong:
If KWallet password is not set, KWallet content is not encrypted. If my laptop is stolen, KWallet content can be read.
If KWallet password is set to the user password, KWallet content is encrypted. One can change the user password, but it won't decrypt KWallet content (root can't change KWallet password). If my laptop is stolen, KWallet content cannot be read. If user changes its user password, it must change KWallet password separately (or the GUI must do it for him at least), and the original password is necessary for this.
The keylogger point is completely moot. If you have one on your PC, your doomed, whether it takes 0 or 5min between your login and the opening of the KWallet content.
I personally think that one-step login and off-line protection is a useful feature.
Senior Member
Not with full disk encryption.
It's definitively a feature request and not a bug and the claim that it's a bug is the reason why it was even mentioned here in the first place.
Posting Permissions
Reply With Quote