TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!
This is going to be short.
Early yesterday I had a drive crash and it took out my user data cache.
Fortunately I was able to recover everything, except I keep my keys and passwords in a highly encrypted tool called keypass and the DB was damaged.
I fired up chrome and everything was missing, history, logins, you name it, the chrome cache folder had been wiped out.
I genuinely believed this information was gone, including the password for my steemit account (which would have been devastating).
In the process of exploring what was left I found a tool called seahorse, it's a default part of the OS and I had never paid much attention to it before. But I opened it up and HOLY SHNIKEES BATMAN! It has a section called "logins" that had stored in plain text every single password to every single website I had ever visited since I installed the OS.
right there under the passwords tab
To make things more interesting, I found that this tool has a lot of uses and functions and you can do some really fun advanced crypto with it. No one talks about it much, but it's there.
The datastore itself appears to be default setup to unlock with the same password you use to login to the OS with, which is disturbing to me on a number of levels.
This means that unless you have whole disk encryption, your steemit password is at risk if you're running any version of linux that uses this and blowing away your webcache does not fix this, i.e. clearing cookies, cache, passwords.
Finally in the absence of this tool, it turns out that Chrome just stores this information on the hard drive in plain text.
If you've forgotten your passwords, you can always get to them in plain text by going here...
chrome://settings/passwords (you'll need to copy and paste the link isn't really clicky.)
Keep in mind that google has also backed these up to the cloud for you as well.
http://www.makeuseof.com/tag/view-chromes-saved-passwords-anywhere-stop/
The solution to this is to not allow your web browser to store your password, but to use a tool like keypass and keep your password DB backed up. Also use whole disk encryption whenever possible and if not then at least make sure your user data partition is encrypted.
As always this post is 100% steem powered!
Nice post
Oh man, sounds like you managed to dodge a bullet here. I'm glad you got your passwords back, but this is also scary at the same time. Hard to ever be totally sure of what your computer is doing without you being aware. Sometimes I look at Task Manager and wonder just what all that crap is that I have running...
I have so many passwords / keys / important stuff these days that I'm getting rather paranoid about losing it all by accident someday. So I keep a triple backup of my most important stuff on a home NAS, USB drive, and 2nd USB drive stored in a locked drawer at my office.
Yeah I really did dodge a bullet there. Fortunately, I was able to recover and I'm taking active measures like yours now to make sure it never happens again. I was really lucky this was only personal stuff. Thankfully with business related stuff I'm a lot better about hygiene and use custom key stores, with a few different backup modes including a steganographic option.
Ack! Well at least you managed to recover your passwords D:
Oh no, your post has given me even more security angst! The truth is painful sometimes. Now I need to encrypt my hardrives,blah.
Thanks for this useful anxiety producing info, that's much appreciated,lol.
Ugh. I just want to be able to use an external device (key) which uses digital signing on the device itself to log me in for every website. None of this stupid password bullshit, we should be leaving it in the past. It is basically an impossible task to use passwords securely, no matter how hard you try, there are always serious vulnerabilities.
I have a Yubikey Neo which is great, but it only works for a few sites. Mostly I have to use LastPass, which probably has the same vulnerability as you're describing here.
Seems it is encrypted, but easy to decrypt. (links via Reddit).
I always encouraged people to use 1Password. Keep that stuff encrypted, yo. Only unlock it when you need it. Keep your anti-virus up-to-date and your OS' security patches.
I have my password stored in LastPass. Is that OK level of security? If I just compromised myself tell me to destroy this post.
No, lastpass appears to be as far as I can tell a very reasonable choice. I use keepass myself because I don't like anything "syncing my passwords".
This post is about letting your browser save the password and the fact your browser isn't taking adequate steps to encrypt your passwords locally. Plus it's backing them up to google whether you like it or not and google is leaving them unencrypted as well, unless you take positive action to force google to encrypt.
However, in order to take that step you must first log into your google account and if you're like me and don't have a google account, google assigns them to the first person who does log in using your browser. Gotta love Google!
Very helpful! THanks! Feeling better already!
Excuse my ignorance, but I go to the chrome://settings/passwords link and I see the list of websites/passwords ... but the passwords are not in plain text as you mention. Am I missing a step or are there other settings which keep this encrypted perhaps?
They are in plaintext. You need to go over the little dots that obscure it and click them, then click on "show".
This isn't really the dangerous part though, the browser does need to save off the plain text somewhere so it can log you into sites. However having the browser save them in the first place bad because...
The dangerous part is that they are saved out to your harddrive without encryption and also in your google account unencrypted, and evidently the google account of anyone who "logs into chrome" from your browser if you don't log into chrome yourself, according to that link.
I agree with your opinion, but not everyone is equal. If I had someone else would comment I've read the first post, my new comments, that's my differences with others...
I myself use enpass myself. They have an app for every platform and they also allow for you to freely store your database anywhere for you to access it. Comes in handy with your mobile devices :)