TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext! by williambanks

View this thread on steempeak.com
life · @williambanks · (edited)
$39.85
TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!
http://memecrunch.com/meme/9Y81X/oops-kitten/image.jpg

This is going to be short.
Early yesterday I had a drive crash and it took out my user data cache.
Fortunately I was able to recover everything, except I keep my keys and passwords in a highly encrypted tool called keypass and the DB was damaged.

I fired up chrome and everything was missing, history, logins, you name it, the chrome cache folder had been wiped out.

I genuinely believed this information was gone, including the password for my steemit account (which would have been devastating).

In the process of exploring what was left I found a tool called [seahorse](https://wiki.gnome.org/Apps/Seahorse), it's a default part of the OS and I had never paid much attention to it before.  But I opened it up and HOLY SHNIKEES BATMAN!  It has a section called "logins" that had stored in plain text every single password to every single website I had ever visited since I installed the OS.
http://cdn.ghacks.net/wp-content/uploads/2009/09/seahorse_main.png
*right there under the passwords tab*

To make things more interesting, I found that this tool has a lot of uses and functions and you can do some really fun advanced crypto with it.  No one talks about it much, but it's there.
The datastore itself appears to be default setup to unlock with the same password you use to login to the OS with, which is disturbing to me on a number of levels.

This means that unless you have whole disk encryption, your steemit password is at risk if you're running any version of linux that uses this and blowing away your webcache does not fix this, i.e. clearing cookies, cache, passwords.
Finally in the absence of this tool, it turns out that Chrome just stores this information on the hard drive in plain text.

If you've forgotten your passwords, you can always get to them in plain text by going here...
[chrome://settings/passwords](chrome://settings/passwords)  (you'll need to copy and paste the link isn't really clicky.)
Keep in mind that google has also backed these up to the cloud for you as well.
http://www.makeuseof.com/tag/view-chromes-saved-passwords-anywhere-stop/

The solution to this is to not allow your web browser to store your password, but to use a tool like keypass and keep your password DB backed up.  Also use whole disk encryption whenever possible and if not then at least make sure your user data partition is encrypted.

As always this post is 100% steem powered!
👍  , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , , and 86 others
properties (23)
post_id2,275,693
authorwilliambanks
permlinktil-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext
categorylife
json_metadata"{"app": "steemit/0.1", "format": "markdown", "links": ["https://wiki.gnome.org/Apps/Seahorse", "chrome://settings/passwords", "http://www.makeuseof.com/tag/view-chromes-saved-passwords-anywhere-stop/"], "image": ["http://memecrunch.com/meme/9Y81X/oops-kitten/image.jpg"], "tags": ["life", "til", "security", "hacking", "tutorials"]}"
created2017-03-28 07:40:09
last_update2017-03-28 08:01:30
depth0
children22
net_rshares18,542,382,385,566
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value36.989 SBD
curator_payout_value2.856 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length2,453
author_reputation90,735,613,033,058
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars0
author_curate_reward""
vote details (150)
@anwarabdullah ·
$0.24
properties (23)
post_id2,275,724
authoranwarabdullah
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t074323776z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 07:43:30
last_update2017-03-28 07:43:30
depth1
children7
net_rshares559,244,435,555
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.235 SBD
curator_payout_value0.006 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length9
author_reputation8,149,127,469,020
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (4)
@steevc · (edited)
Hi. Just a bit of advice based on my experience here. Make comments that actually contribute to the discussion. Generic comments like this may be considered to be spam by some people.
👍  ,
properties (23)
post_id2,275,778
authorsteevc
permlinkre-anwarabdullah-re-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t075052656z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 07:50:51
last_update2017-03-28 08:51:39
depth2
children6
net_rshares40,345,637,550
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length183
author_reputation273,317,013,544,223
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@anwarabdullah · 
If you think my comment is not worthy, I'm sorry but it was a nice comment in my opinion
👍  ,
properties (23)
post_id2,276,119
authoranwarabdullah
permlinkre-steevc-re-anwarabdullah-re-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t084921498z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 08:49:27
last_update2017-03-28 08:49:27
depth3
children5
net_rshares9,734,934,937
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length88
author_reputation8,149,127,469,020
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@steevc ·
$0.25
I'll have to check on that. I use Lastpass to store my passwords
👍  , , ,
properties (23)
post_id2,275,728
authorsteevc
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t074439937z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 07:44:39
last_update2017-03-28 07:44:39
depth1
children0
net_rshares577,680,168,733
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.243 SBD
curator_payout_value0.008 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length64
author_reputation273,317,013,544,223
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (4)
@ryivhnn ·
$0.23
Ack! Well at least you managed to recover your passwords D:
👍  , ,
properties (23)
post_id2,275,794
authorryivhnn
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t075322781z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 07:53:21
last_update2017-03-28 07:53:21
depth1
children0
net_rshares544,620,690,943
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.180 SBD
curator_payout_value0.054 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length59
author_reputation30,432,198,871,077
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (3)
@cryptomancer ·
$0.24
Oh man, sounds like you managed to dodge a bullet here.  I'm glad you got your passwords back, but this is also scary at the same time.  Hard to ever be totally sure of what your computer is doing without you being aware.  Sometimes I look at Task Manager and wonder just what all that crap is that I have running...

I have so many passwords / keys / important stuff these days that I'm getting rather paranoid about losing it all by accident someday.  So I keep a triple backup of my most important stuff on a home NAS, USB drive, and 2nd USB drive stored in a locked drawer at my office.
👍  ,
properties (23)
post_id2,275,960
authorcryptomancer
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t082248725z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 08:24:27
last_update2017-03-28 08:24:27
depth1
children1
net_rshares549,513,773,974
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.178 SBD
curator_payout_value0.059 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length590
author_reputation17,333,604,732,440
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@williambanks ·
$0.32
Yeah I really did dodge a bullet there.  Fortunately, I was able to recover and I'm taking active measures like yours now to make sure it never happens again.  I was really lucky this was only personal stuff.  Thankfully with business related stuff I'm a lot better about hygiene and use custom key stores, with a few different backup modes including a steganographic option.
👍  ,
properties (23)
post_id2,275,983
authorwilliambanks
permlinkre-cryptomancer-re-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t082850097z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 08:28:51
last_update2017-03-28 08:28:51
depth2
children0
net_rshares714,949,021,451
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.263 SBD
curator_payout_value0.057 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length375
author_reputation90,735,613,033,058
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@kooshikoo ·
$0.23
Oh no, your post has given me even more security angst! The truth is painful sometimes. Now I need to encrypt my hardrives,blah.
Thanks for this useful anxiety producing info, that's much appreciated,lol.
👍  ,
properties (23)
post_id2,276,117
authorkooshikoo
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t084900342z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 08:49:09
last_update2017-03-28 08:49:09
depth1
children0
net_rshares540,109,628,291
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.198 SBD
curator_payout_value0.035 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length204
author_reputation2,159,953,712,811
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@demotruk · (edited)
$0.23
Ugh. I just want to be able to use an external device (key) which uses digital signing on the device itself to log me in for every website. None of this stupid password bullshit, we should be leaving it in the past. It is basically an impossible task to use passwords securely, no matter how hard you try, there are always serious vulnerabilities.

I have a Yubikey Neo which is great, but it only works for a few sites. Mostly I have to use LastPass, which probably has the same vulnerability as you're describing here.
👍  ,
properties (23)
post_id2,276,197
authordemotruk
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t090322620z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 09:03:21
last_update2017-03-28 09:05:09
depth1
children0
net_rshares539,308,552,636
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.223 SBD
curator_payout_value0.009 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length520
author_reputation96,481,588,331,838
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@anwarabdullah · 
I agree with your opinion, but not everyone is equal. If I had someone else would comment I've read the first post, my new comments, that's my differences with others...
👍  ,
properties (23)
post_id2,276,368
authoranwarabdullah
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t093849267z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 09:38:57
last_update2017-03-28 09:38:57
depth1
children0
net_rshares39,545,050,502
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length169
author_reputation8,149,127,469,020
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@mafkikker · 
Excuse my ignorance, but I go to the chrome://settings/passwords link and I see the list of websites/passwords ... but the passwords are not in plain text as you mention. Am I missing a step or are there other settings which keep this encrypted perhaps?
👍  
properties (23)
post_id2,278,366
authormafkikker
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t141033302z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 14:10:33
last_update2017-03-28 14:10:33
depth1
children1
net_rshares40,053,782,711
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length253
author_reputation0
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (1)
@williambanks · 
They are in plaintext.  You need to go over the little dots that obscure it and click them, then click on "show".
This isn't really the dangerous part though, the browser does need to save off the plain text somewhere so it can log you into sites.  However having the browser save them in the first place bad because...  

The dangerous part is that they are saved out to your harddrive without encryption and also in your google account unencrypted, and evidently the google account of anyone who "logs into chrome" from your browser if you don't log into chrome yourself, according to that link.
👍  
properties (23)
post_id2,279,306
authorwilliambanks
permlinkre-mafkikker-re-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t155438571z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 15:54:39
last_update2017-03-28 15:54:39
depth2
children0
net_rshares44,836,703,800
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length597
author_reputation90,735,613,033,058
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (1)
@buzzbeergeek · 
I have my password stored in LastPass. Is that OK level of security? If I just compromised myself tell me to destroy this post.
👍  ,
properties (23)
post_id2,279,140
authorbuzzbeergeek
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t153718486z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 15:37:15
last_update2017-03-28 15:37:15
depth1
children2
net_rshares45,060,811,405
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length127
author_reputation220,461,792,063,618
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@williambanks · 
No, lastpass appears to be as far as I can tell a very reasonable choice.  I use keepass myself because I don't like anything "syncing my passwords".  

This post is about letting your browser save the password and the fact your browser isn't taking adequate steps to encrypt your passwords locally.  Plus it's backing them up to google whether you like it or not and google is leaving them unencrypted as well, unless you take positive action to force google to encrypt.  

However, in order to take that step you must first log into your google account and if you're like me and don't have a google account, google assigns them to the first person who does log in using your browser.  Gotta love Google!
👍  
properties (23)
post_id2,279,547
authorwilliambanks
permlinkre-buzzbeergeek-re-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t162130774z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 16:21:33
last_update2017-03-28 16:21:33
depth2
children1
net_rshares5,007,028,694
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length705
author_reputation90,735,613,033,058
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (1)
@buzzbeergeek · 
Very helpful! THanks! Feeling better already!
👍  ,
properties (23)
post_id2,279,566
authorbuzzbeergeek
permlinkre-williambanks-re-buzzbeergeek-re-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t162326629z
categorylife
json_metadata"{"app": "steemit/0.1", "tags": ["life"]}"
created2017-03-28 16:23:24
last_update2017-03-28 16:23:24
depth3
children0
net_rshares44,259,735,750
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length45
author_reputation220,461,792,063,618
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (2)
@lukestokes ·
$0.23
Seems <a href="https://productforums.google.com/forum/#!topic/chrome/p0vglq4ZG-8">it is encrypted</a>, but <a href="https://www.codeproject.com/Articles/1167935/The-Secrets-of-Google-Chrome-Credentials">easy to decrypt</a>. (links <a href="https://www.reddit.com/r/chrome/comments/5spfx5/is_it_safe_to_store_passwords_in_chrome_now/">via Reddit</a>).

I always encouraged people to use 1Password. Keep that stuff encrypted, yo. Only unlock it when you need it. Keep your anti-virus up-to-date and your OS' security patches.
👍  , , ,
properties (23)
post_id2,280,958
authorlukestokes
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170328t183415524z
categorylife
json_metadata"{"app": "steemit/0.1", "links": ["https://productforums.google.com/forum/#!topic/chrome/p0vglq4ZG-8", "https://www.codeproject.com/Articles/1167935/The-Secrets-of-Google-Chrome-Credentials", "https://www.reddit.com/r/chrome/comments/5spfx5/is_it_safe_to_store_passwords_in_chrome_now/"], "tags": ["life"]}"
created2017-03-28 18:34:15
last_update2017-03-28 18:34:15
depth1
children0
net_rshares525,137,257,404
last_payout2017-04-28 09:34:06
cashout_time1969-12-31 23:59:59
total_payout_value0.225 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length523
author_reputation395,063,281,398,324
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (4)
@gr1b17cy · 
I myself use [enpass](https://www.enpass.io/) myself. They have an app for every platform and they also allow for you to freely store your database anywhere for you to access it. Comes in handy with your mobile devices :)
👍  
properties (23)
post_id2,362,322
authorgr1b17cy
permlinkre-williambanks-til-that-despite-you-best-efforts-your-passwords-as-stored-in-plaintext-20170409t130430269z
categorylife
json_metadata"{"app": "steemit/0.1", "links": ["https://www.enpass.io/"], "tags": ["life"]}"
created2017-04-09 13:03:57
last_update2017-04-09 13:03:57
depth1
children0
net_rshares28,075,119,544
last_payout2017-04-16 13:03:57
cashout_time1969-12-31 23:59:59
total_payout_value0.000 SBD
curator_payout_value0.000 SBD
pending_payout_value0.000 SBD
promoted0.000 SBD
body_length221
author_reputation605,650,698,207
root_title"TIL - That Despite You Best Efforts Your Passwords are Stored in Plaintext!"
beneficiaries[]
max_accepted_payout1,000,000.000 SBD
percent_steem_dollars10,000
author_curate_reward""
vote details (1)
Help/Feedback