Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Password stores in plain txt, how to solve this? #15

Closed
kolobok55 opened this issue Apr 2, 2019 · 10 comments

Comments

@kolobok55
Copy link

commented Apr 2, 2019

With notepad++ i've found my site passwords in open view. Can i store my passwords secure?

@crazy-max

This comment has been minimized.

Copy link
Member

commented Apr 2, 2019

@kolobok55

Everything is explained here :

TLDR; We have to deal with machine ID and encryption otherwise extensions, passwords and settings are not saved across computers. That's why the flag --disable-encryption-win has been created to allow portablility.

@crazy-max crazy-max closed this Apr 2, 2019

@caspertone2003

This comment has been minimized.

Copy link

commented Apr 3, 2019

@crazy-max

Perhaps it would be wise

a) to include some information on particularities of braveportable vs brave-core in https://portapps.io/app/brave-portable/ , specially the security implications vs portability

b) to point to some side measures, such as https://www.geckoandfly.com/21463/usb-password-protect-lock-encrypt-flash-drive/

c) to generate two versions, one as now fully portable and another new safer but not fully portable

Your work here is excellent but users could not really understand the approach and could bring bad reputation to brave-portable, which would be a pity.

a+b are not really a lot of work.
c depends on the level of sofistication of your toolchain....

by the way, I could stop LOLing with you using TLDR

CT

@crazy-max

This comment has been minimized.

Copy link
Member

commented Apr 3, 2019

@caspertone2003 You right I will add some info about those flags.

@crazy-max crazy-max reopened this Apr 3, 2019

@crazy-max crazy-max added the doc label Apr 3, 2019

@kolobok55

This comment has been minimized.

Copy link
Author

commented Apr 3, 2019

@crazy-max

Perhaps it would be wise

a) to include some information on particularities of braveportable vs brave-core in https://portapps.io/app/brave-portable/ , specially the security implications vs portability

b) to point to some side measures, such as https://www.geckoandfly.com/21463/usb-password-protect-lock-encrypt-flash-drive/

c) to generate two versions, one as now fully portable and another new safer but not fully portable

Your work here is excellent but users could not really understand the approach and could bring bad reputation to brave-portable, which would be a pity.

a+b are not really a lot of work.
c depends on the level of sofistication of your toolchain....

by the way, I could stop LOLing with you using TLDR

CT

Another option, rather a crutch:
Embed a cryptographer / decoder into the launcher, decrypt the settings file on startup and delete on closing

@crazy-max

This comment has been minimized.

Copy link
Member

commented Apr 3, 2019

@kolobok55 That sounds great but this needs an upstream implementation on brave-core and also a portable fingerprint for a symmetric cryptography

@caspertone2003

This comment has been minimized.

Copy link

commented Apr 3, 2019

@kolobok55
The general approach is good while obvious but not light in work and time.
It took a brilliant idea and quite some work to crazy-max to prepare a patch to brave-core to allow a truly portable solution (Chromium binds passwords and other critical information to a specific machine - by design) and took several weeks to get green light for the patch. Moreover I dunno if they will pass such radical patching as to develop a cryptographic container for brave-core, besides crypto while conceptually simple is a trapfield in terms of correct implementation...

crazy-max added a commit to portapps/portapps.github.io that referenced this issue Apr 10, 2019

@crazy-max

This comment has been minimized.

Copy link
Member

commented Apr 10, 2019

@crazy-max crazy-max closed this Apr 10, 2019

@beppe9000

This comment has been minimized.

Copy link

commented May 15, 2019

Is this still happening?

This issue of portability always bugged me on chromiums... can it be patched to just use a default key?
Or accept a key (or keyfile) passed by argument / pipe / stdin / well known file (%CD%\key.bin)

@crazy-max

This comment has been minimized.

Copy link
Member

commented May 15, 2019

@beppe9000

Is this still happening?

Yes

can it be patched to just use a default key?

The steganographic approach is possible to "hide" this kind of data.

@beppe9000

This comment has been minimized.

Copy link

commented May 15, 2019

too bad closed source chromiums cannot benefit from that patch...

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
4 participants
You can’t perform that action at this time.