ZakGordon wrote: ↑Fri Feb 21, 2020 5:14 am
This new Chromium insistence on 'needing' a password, with no clear opt-out option is just part of this growing problem imho.
I'd want to note that this bit really isn't very true. If a program stores e.g. passwords, having it do so through a central, system-supplied "secrets-store" (i.e., the keyrings) is easily better than having each individual such program implement its own security vulnerabilities, certainly if said program is a browser that stores basically all to the average user relevant passwords already anyway. I.e., independently developed, primarily focussed
on keeping secrets rather than on e.g. browsing, and configurable by the user to require or not require a master password, the store to be encrypted or not encrypted, ....
Also related to another part of your post, i.e., that "all consumer-level encryption can be broken". "Consumer-level" doesn't mean much, and in that sense, no, it really can not, if you just use e.g. big enough keys. It's a field of mathematics I'm not big on but still do know enough about to be aware of the nature of the difficulties: whereas to a mathematician calling them "fundamental" tends to not feel right, anyone else should really feel very free to call them precisely that. Beyond access to compute power there's really very little difference between "consumer-level" and any other level --- and specifically this then also means that a central, encrypted password store is not a necessarily bad idea, really not even if stored "in the cloud".
I.e., I guess you are referring to the LastPass security incident of a few years back but it was
not the case that this "basically exposed millions of people passwords to the black-market". It exposed zero passwords to such; only exposed binary blobs of in practice indecipherable one's and zero's. Which wouldn't be to say I'd urge anyone to use a cloud-based service; keeping it local makes perfect sense, but for many, not keeping one at all simply doesn't work any more, doubly given that thing above about memorable password versus strong ones. Now, that fact in and of itself you may of course consider a problem, but it's not Chromium's or the keyring system's problem; that in and of itself is fine...
[EDIT] I don 't use LastPass so hadn't payed close attention, but while the above is true, e.g.
https://www.skyhighnetworks.com/cloud-s ... s-exposed/ would say this was still a bit more serious than said above would imply. That is, with master-password reminder questions also compromised, if as that article also says a reminder-question is "Who was my favourite teacher?" or some such, simply trying popular names may be effective to guess at the master password.
Anyways. Wanted to add that on reading that description, but system-local keyrings are still fine, or at least as fine or finer than system-local application-specific stores...
[EDIT] And another edit.... it might pay if I actually read the
entire article before commenting. Nah, no, not even the above it seems. I.e., not even "binary blobs" were exposed; not password-vaults themselves, whereby none of it is available for offline mass brute-forcing; an attacker seemingly needed to login to LastPass to gain access to the actual vault even after compromising a master-password. That's all to say that while it was a serious breach, one should be quite aware what context the word "serious" is in fact to be interpreted in.
ANYWAYS! System-local keyrings [ etc. ]. Shall shut up now.