https://bugs.kde.org/show_bug.cgi?id=450004
David Goguen <david.gog...@outlook.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |david.gog...@outlook.com
--- Comment #1 from David Goguen <david.gog...@outlook.com> ---
As you mentioned, your wallet has a master password and if you “Close” the
wallet in the GUI at the top before closing KWalletManager itself, it will
prompt for the master password of the wallet when you open KWalletManager
again. This comes at the inconvenience of re-entering the password to reopen
the wallet.
Just my two cents, but I really don’t think this is a bug. It’s the same as if
you store your passwords for autofill in your web browser, you can access the
list in the web browser settings in plain text as long as the user is logged
into the computer normally. If a user has to enter their password to open
KWalletManager alone, do they then have to enter the password to the wallet
right after? Seems like a bit of a pain to me, but I do get it from a security
perspective.
This is an interesting one and I’m interested to see what others think.
This is KDE, perhaps introduce a switch in the KWalletManager settings so users
can choose to prompt for password when it opens or not, that way everyone is
satisfied :)
(In reply to Marco from comment #0)
> SUMMARY
> KWallet, when open, allows, via the guy, to see all passwords in plain text.
> I understand this "normal", since the wallet is open, but given the number
> of applications using the wallet, it means it will *always* open. I would
> say that at least at the guy level, kwallet should ask the user password
> before showing the passwords in plain text, when clicking the "show
> password" button, as a basic security measure.
> Let me point out that this kind of security measure is already implemented
> when changing KWallet's settings. In this case, before applying a change,
> the user's password is required.
>
>
> STEPS TO REPRODUCE
> 1. Simply open KWallet
> 2. Choose any folder
> 3. click the show password button
>
> OBSERVED RESULT
>
> The password is immediately shown in plain text, without first asking the
> current user's password.
>
> EXPECTED RESULT
> KWallet should first confirm the operation by asking the user's password.
>
> SOFTWARE/OS VERSIONS
> Linux/KDE Plasma: Fedora 35
> (available in About System)
> KDE Plasma Version: 5.24
> KDE Frameworks Version: 5.90.0
> Qt Version: 5.15.2
>
> ADDITIONAL INFORMATION
> I understand a solution would be to close the wallet, or let it close after
> a certain period, but this would bring back the well-known annoyance of
> KWallet popping up every 5 seconds asking for a password, and this is
> something I am really trying to avoid.
--
You are receiving this mail because:
You are watching all bug changes.
