seahorse shows passwords without verification

8 respuestas [Último envío]
arielenter

I am a member!

I am a translator!

Desconectado/a
se unió: 08/25/2010

Hello, I wanted to share something that has been bothering me for quite a while now:
https://bugzilla.gnome.org/show_bug.cgi?id=627117#c2
I have decided to uninstall seahorse from my system until this feature is implemented.
What you think? Should trisquel come without seahorse.
To open seahorse go to trisquel's Menu>system>Preferences>Passwords and Encrypted Keys. Just double click on the password you want to see and check “Show password”.
Some other bug reports:
https://bugzilla.gnome.org/show_bug.cgi?id=551036
https://bugzilla.gnome.org/show_bug.cgi?id=604843
https://bugzilla.gnome.org/show_bug.cgi?id=617332

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Make a separate user with no privilege for everybody who occasionally uses your system. It takes one minute.

When you leave your computer unattended, lock it (directly accessible in the menu). If you are afraid to forget, configure the screensaver so that it locks the screen (a box to check in Preferences/Screensaver).

That said, with a physical access to your machine, no security holds. E.g., using a Live CD, one can install a keylogger and will soon know your master password.

arielenter

I am a member!

I am a translator!

Desconectado/a
se unió: 08/25/2010

I know there must be hundreds of ways to get your privacy compromise if
some one uses your computer while you are gone, but you don't have to be
a computer genius to open seahorse in less than 30 secs. In my opinion,
there is different computer levels, I feel I'm just in the desktop
level, and the fact that using the mouse is all you have to know to open
seahorse and watch somebody else password doesn't feel right to me.

On Fri, 2011-05-06 at 03:58 +0200, name at domain wrote:
> Make a separate user with no privilege for everybody who occasionally uses
> your system. It takes one minute.
>
> When you leave your computer unattended, lock it (directly accessible in the
> menu). If you are afraid to forget, configure the screensaver so that it
> locks the screen (a box to check in Preferences/Screensaver).
>
> That said, with a physical access to your machine, no security holds. E.g.,
> using a Live CD, one can install a keylogger and will soon know your master
> password.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Just apply what I wrote in the two first paragraphs of my previous message. You will be safe w.r.t. "basic" users.

lluvia_lists@lavabit.com
Desconectado/a
se unió: 04/18/2011

El vie, 06-05-2011 a las 13:32 -0600, ariel escribió:
> I know there must be hundreds of ways to get your privacy compromise if
> some one uses your computer while you are gone, but you don't have to be
> a computer genius to open seahorse in less than 30 secs.

+1. I'd like seahorse ask me my user account key (although by default it
is the admin key too) before showing the keys in the ring. I don't like
to be worried everytime. Also, a lot of users probably don't know about
what is seahorse, and they will not think about that problem. Indeed, I
forgot the issue although I knew it.

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Again, if you apply what I wrote two messages ago (and it is really a matter of seconds) you will be safe w.r.t. basic users. They will not only be able to easily see the passwords in Seahorse but also those in Firefox, and your personal accounting spreadsheets, and your personal agenda in Evolution, and... Do you really want to make all your system check whether it is really you before anything you do? No. Just create an invited user and (let the screensaver) lock the screen when you leave (and lock the room if nobody is supposed to enter!).

If you want to spare one click for locking the screen, add the related applet on the panel. If you want to spare another click when switching to the invited user (that need no password), there is another applet you can add on the panel.

arielenter

I am a member!

I am a translator!

Desconectado/a
se unió: 08/25/2010

Wow o_o, I didn't know firefox does that too. I'm embarrassed. Thanks
for this very helpful information.

I'm using the screen saver lock now, and I created a separate user just
in case I want to lend my computer to a friend for a moment. I have also
disabled the cd boot option from my BIOS and had a password for it as
well.

I still believe that making it so easy for the user to show all the
passwords is not a pretty thing. I can understand that there are other
valuable things that can be compromise if you let someone use your
session, like your personal accounting spreadsheets, and your personal
agenda in Evolution, but passwords are, in my opinion, the keys to
everything, and it only takes a second to memorize.

Of course I don't need my computer to be asking me if it's really me who
is using it all the time, but I don't see why I'll be asking the
computer to display on screen what are my passwords all the time, and
when I do, I wish it could ask me if I'm not someone else.

On Sat, 2011-05-07 at 02:59 +0200, name at domain wrote:
> Again, if you apply what I wrote two messages ago (and it is really a matter
> of seconds) you will be safe w.r.t. basic users. They will not only be able
> to easily see the passwords in Seahorse but also those in Firefox, and your
> personal accounting spreadsheets, and your personal agenda in Evolution,
> and... Do you really want to make all your system check whether it is really
> you before anything you do? No. Just create an invited user and (let the
> screensaver) lock the screen when you leave (and lock the door of the room if
> nobody is supposed to enter!).

arielenter

I am a member!

I am a translator!

Desconectado/a
se unió: 08/25/2010

I just found out that, at least in firefox, you can establish a master
password that will prevent from showing you on screen the stored
passwords without it.

I do agree with what lcerf has said, but wouldn't be better to have this
things for seahorse too? That little extra of security won't do any harm
don't you think?

It had happened to me, many times, that friends of mine let me their
computer for a second just to make a quick fix. A bad friend will want
to see their social network, their email and such passwords first,
before their accounting and schedule. Should we be blaming the users for
been so careless? Couldn't the dev just add a seahorse master password?
I know it won't solve everything but wouldn't improve things?

On Sat, 2011-05-07 at 02:59 +0200, name at domain wrote:
> Again, if you apply what I wrote two messages ago (and it is really a matter
> of seconds) you will be safe w.r.t. basic users. They will not only be able
> to easily see the passwords in Seahorse but also those in Firefox, and your
> personal accounting spreadsheets, and your personal agenda in Evolution,
> and... Do you really want to make all your system check whether it is really
> you before anything you do? No. Just create an invited user and (let the
> screensaver) lock the screen when you leave (and lock the door of the room if
> nobody is supposed to enter!).

Magic Banana

I am a member!

I am a translator!

Desconectado/a
se unió: 07/24/2010

Switching to the invited account is a matter of two clicks with the fast-switch-applet...

Moreover, if, like me, you use the Firemacs extension to Firefox, your friend will be far happier with the invited account and its default configuration!