Web lists-archives.com

Re: The situation of KWallet, and what to do about it?




On Mon, July 11, 2016 21:27:54 Thomas Pfeiffer wrote:
> On 07.07.2016 18:43, Elvis Angelaccio wrote:
> >> - We make encrypted password storage optional and non-default (easiest
> >> solution, but not exactly in line with KDE's vision)
> > 
> > I disagree on this point. Even if KWallet were free of usability
> > issues, it would still provide a false sense of security. The user
> > thinks that his/her passwords are safe, while in fact they are not.
> > If we don't have enough manpower to develop and mantain a proper
> > keychain in Plasma, we should tell our users. This way they can make
> > sure that, for example, the unsafely stored Wi-Fi passphrase is not
> > used for other accounts. This is already closer to our vision than the
> > current situation.
> > 
> > My vote is: we either do it right, or we give up. If someone steps up
> > to fix this problem, great. Otherwise we should start to slowly port
> > away from KWallet.
> 
> Good point!
> I still hope we'd find a secure solution, but no central storage may
> indeed be better than an insecure one.

I strongly agree with the Reindl's reply... abdicating responsibility because 
we can't do it to the level of perfection required to claim security may be 
satisfying, but leaving the task to our users to handle alone would be even 
less secure.

What we shouldn't do is offer a "secure" solution that we think isn't secure 
-- we need to advertise what we think we can deliver and allow our users to 
make informed decisions from there. We already deliver something better than 
"passwords.txt", and that solution makes it feasible to avoid password sharing 
across web sites, which is one of the big problems we face today.

Regards,
 - Michael Pyne