password deletions without warning
Reported by
nick_lev...@yahoo.com,
Jun 15 2016
|
|||
Issue descriptionChrome Version (Chromium) Version 51.0.2704.79 (64-bit) : <Copy from: 'about:version'> URLs (if applicable) : https://bugzilla.opensuse.org/show_bug.cgi?id=977941#c18 Other browsers tested: Not relevant Add OK or FAIL, along with the version, after other browsers where you have tested this issue: Safari: Firefox: IE: What steps will reproduce the problem? (1) Install openSuse 13.2 Linux with Chromium and keep evergreen. (2) In some updates, read before-and-after descriptions. (3) Find statement in "after" description about Chromium deleting passwords with warning during "before" stage. What is the expected result? Passwords should be kept or migrated safely. What happens instead? Passwords were and maybe still are deleted. Please provide any additional information below. Attach a screenshot if possible. When you discontinue password storage and delete users' passwords, please provide advance notice designed to let users migrate, preserve, sync, or otherwise be able to use their passwords after you have deleted them. There should be no interruption in their ability to use anything needing a password and no need to say that a password was lost and get a reset, not always easy to do. In openSuse 13.2 Linux, which I keep evergreen, every few weeks an OS update announces this: "By using the openSUSE update-alternatives the password store for Chromium is changed to utilize Gnome's Keyring. Please be aware that by this change the old password [sic] are no longer accessible and are also not converted to Gnome's Keyring." A similar statement refers to KDE's KWallet. This statement appears only after an update is completed, so there is no possibility of recovering passwords. No warning precedes deletion. No migration is offered or performed. Two possibilities are present. One is that deletion can never happen again. The package description, by being written in the present tense, is out of date. In that case, the statement needs to be edited to the past tense. The other possibility is that deletion can happen again. Apparently, Chromium has resumed accepting passwords into storage. Whether storage is in the local computer or in the cloud doesn't matter. What matters is that there is storage somewhere. That means it's possible Chromium will once again stop storing passwords and then delete those it has without warning. When an update is offered, the Chromium update that includes password deletion should begin with a warning and a user opt-in. Precedent exists. A while back, for some OS or other, a group of updates included one requiring agreement to license terms for one software package. I refused to agree, and that prevented the update, but I could still use the computer. Synchronizing passwords has been suggested. I understand a user can sync into Google's cloud. That's fine but must require an opt-in. Sync'ing automatically would be a security risk several times over. First, logging into the Google cloud while sitting in a public place or at work may require exposing a password to someone else, so a user must be allowed to delay an update until sync'ing can be done privately. Second, letting a nonroot user sync root's various passwords could expose root's passwords and what they're used for to a nonroot user. Third, the user's Google cloud password may be unknown to root, blocking root from accessing root's own passwords. Thus, synchronization cannot be automatic without root's approval. I am told (https://bugzilla.opensuse.org/show_bug.cgi?id=977941#c14) that the decision to delete passwords is made by Chromium/Chrome developers, thus upstream from the Linux distro, so I'm reporting here. In the attachment, scroll to the big hand-drawn arrow. The rest is context.
,
Jun 17 2016
,
Jun 17 2016
Thanks for the report, sorry to hear about the trouble. First, there is no code in Chrome to delete your passwords when the storage backend is changed, so you should be able to recover them. If I understand this correctly, you used Chrome before without Gnome Keyring / KWallet. That means that the passwords should be still in your profile's Login Data database. Run Chrome with --password-store=basic, that will force using the profile database. You should be seeing your passwords in chrome://settings/passwords again. If you want to migrate them to the Keyring / KWallet, there are two ways: * Use sync. You can use it even just temporarily, with a one-time account and custom passphrase for maximum protection. * Use the experimental import/export feature (bug 341477, use chrome://flags/#password-import-export, only in Chrome versions 52+). Note: this is not a complete feature yet, e.g., basic HTTP auth passwords are not yet exportable. Second, I agree with you that it is a bug to silently change password storage backend, resulting in the feel of lost passwords. Normally I would propose to fix it by at least some user-facing messaging, but actually we are in the process of getting rid of the Keyring and KWallet backends and sticking to the Login Data database on all of GNU/Linux for simplicity. This is a work in progress ( bug 602624 adds proper encryption implementation and bug 571003 drops the backends), so not done yet, but it does not make sense to stop that just to implement the warning which will become obsolete soon after. There will be migration code for bug 571003, so switching back to the database from Keyring / KWallet won't result in disappearing passwords.
,
Jun 18 2016
This makes sense. I didn't store my passwords within Chromium but saw these after-deletion messages a whole bunch of times and it looked like someone was being sloppy about other people's security (one message could be an oversight but multiples indicated that someone was not talking to someone else and the result was discoordination that loosened security), I was concerned about users in general, and conceivably I might use the storage option myself some day, so I posted to the distro's bug system, so we could get advance notice in time to act. Your answer implies that the software description I quoted above was wrong, because deletion didn't occur and the passwords can indeed be recovered and/or migrated. I plan to try to find out which organization is responsible for the description and ask for it to be corrected in light of your reply. The timing of your development plan, and skipping a step that will quickly become obsolete, sounds fine. Thank you for letting us know.
,
Jul 30 2016
The messages in openSuse for Gnome and KDE were rewritten and the one for Gnome has appeared in an update, so the one for KDE likely will appear, too. I assume that solves the information problem until the Google/Chromium work itself is done (per comment 3 above). Thanks. |
|||
►
Sign in to add a comment |
|||
Comment 1 by ashej...@chromium.org
, Jun 17 2016