Announcement

Collapse
No announcement yet.

10 Year Old KDE Bug Finally Gets Fixed

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

  • #41
    Originally posted by ChrisXY View Post
    If I have no password set, anyone with physical/root access can open it, even if I'm not logged in, right?
    If the KWallet password is automatically the same as the user login password, anyone with physical/root access can simply change the user password or alternatively plant a script that reads the contents of KWallet right after login.
    If you are concerned about people having physical access to your PC, go full-disk encryption instead.

    Comment


    • #42
      Originally posted by Awesomeness View Post
      If the KWallet password is automatically the same as the user login password, anyone with physical/root access can simply change the user password
      The kwallet password is the same as the login password, but separately set. It could just work together that for this case one only needs one login and changing the user password would not touch kwallet's password.

      Originally posted by Awesomeness View Post
      or alternatively plant a script that reads the contents of KWallet right after login.
      How is that much worse than a script that just waits for kwallet to open and reads it then?

      Comment


      • #43
        Originally posted by ChrisXY View Post
        How is that much worse than a script that just waits for kwallet to open and reads it then?
        The longer a script has to sit and way, the higher the chance of detecting it.

        And even if it was not worse: I see no point developing a KWallet feature that is not superior to the current way.
        Again: If you are concerned about strangers with physical access to your PC, use full disk encryption.

        Comment


        • #44
          Originally posted by Awesomeness View Post
          The longer a script has to sit and way, the higher the chance of detecting it.

          And even if it was not worse: I see no point developing a KWallet feature that is not superior to the current way.
          Again: If you are concerned about strangers with physical access to your PC, use full disk encryption.
          Please correct me if I'm wrong:
          If KWallet password is not set, KWallet content is not encrypted. If my laptop is stolen, KWallet content can be read.
          If KWallet password is set to the user password, KWallet content is encrypted. One can change the user password, but it won't decrypt KWallet content (root can't change KWallet password). If my laptop is stolen, KWallet content cannot be read. If user changes its user password, it must change KWallet password separately (or the GUI must do it for him at least), and the original password is necessary for this.

          The keylogger point is completely moot. If you have one on your PC, your doomed, whether it takes 0 or 5min between your login and the opening of the KWallet content.

          I personally think that one-step login and off-line protection is a useful feature.

          Comment


          • #45
            Originally posted by erendorn View Post
            Please correct me if I'm wrong:
            If KWallet password is not set, KWallet content is not encrypted. If my laptop is stolen, KWallet content can be read.
            Not with full disk encryption.

            Originally posted by erendorn View Post
            I personally think that one-step login and off-line protection is a useful feature.
            It's definitively a feature request and not a bug and the claim that it's a bug is the reason why it was even mentioned here in the first place.

            Comment

            Working...
            X