On Thu, Aug 26, 2021 at 12:15:39PM +0000, Daniel Shahaf wrote: > Stefan Sperling wrote on Thu, 26 Aug 2021 10:30 +00:00: > > And while we are considering read-only vs. read-write access: > > Plaintext passwords or not, in my contrived scenario Eve could always > > trick Alice into using a different user account by caching a set of > > valid credentials which Eve knows. Apart from not caching credentials > > at all I don't see a way to prevent this. > > That scenario is called an "evil maid attack". I don't think we should > try to prevent it. We are not in the business of posting guards to watch > over unattended laptops.
The plaintext password pishing scenario also requires access to local configuration files. We could simply declare it out of scope, but that means we'd be ignoring users who are unhappy that plaintext storage is even allowed. Just as they are unhappy about TortoiseSVN's decryption shortcut in its cached password dialog (note that in this case the windows domain password is often the same as the SVN password, so leaving a laptop unlocked means anyone can get at domain creds).
