[Bug 397466]
Mgraesslin
397466 at bugs.launchpad.net
Mon Dec 24 07:07:49 UTC 2012
as a matter of fact KWallet is not very secure in the first place. With a
password it is secure as long as you have not opened the wallet. Once the
wallet is open it is unsecure in the following (obvious) ways:
* all information on how to read the passwords has to be in memory. Reading
the memory would provide the passwords. Turning of the system would not
protect against it (cold boot attack [1])
* there is no authentication between applications and the wallet. Establishing
authentication is hardly possible on an open system.
Overall I would say if you do not fear that someone would get access to your
turned off system there is no need to have a password. That is a desktop
system is probably fine without a password, but on a notebook which could be
stolen one should consider using one. There is probably a higher risk from
malware interacting with the open wallet than that someone steals the hard
disk.
In most cases the mentioned LUKS solution is excelent, though I just need to
point out that it's of course also breakable by cold boot attacks.
I'm not a KWallet developer, just subscribed to this report and interested in
IT security (was my major in my Masters program). If you know think that
KWallet is insecure: be aware that these are problems probably visible in all
password store solutions. The security model of Linux is "if it runs, it's
trusted", which means one does not have to consider malicious software.
[1] http://en.wikipedia.org/wiki/Cold_boot_attack
--
You received this bug notification because you are a member of Kubuntu
Bugs, which is subscribed to kde4libs in Ubuntu.
https://bugs.launchpad.net/bugs/397466
Title:
There is no KWallet PAM integration
To manage notifications about this bug go to:
https://bugs.launchpad.net/hundredpapercuts/+bug/397466/+subscriptions
More information about the kubuntu-bugs
mailing list