jump to navigation

Chromium saved passwords May 18, 2010

Posted by jdstrand in security, ubuntu.

I make use of the Master Password feature in Firefox. While not on by default, when enabled this feature encrypts your Firefox saved passwords on disk, and Firefox will prompt you when you need access to a saved password. When your browser is not running, your passwords are safe. There is a tool to try to brute force your master password if your machine is stolen, but as long as you use a strong password you should be ok (or at the very least, give you time to change them). For more information, see http://kb.mozillazine.org/Master_password.

This is a nice feature, and one which Chromium lacks. If you let Chromium save your passwords, they are stored in the ‘~/.config/chromium/Default/Web Data’ sqlite database. Displaying them is surprisingly easy (this is 5.0.342.9~r43360-0ubuntu2 on Ubuntu 10.04 LTS, newer versions may save them somewhere else):

$ echo 'SELECT username_value, password_value FROM logins;' | sqlite3 ~/.config/chromium/Default/Web\ Data | grep -v '^|$'

As you can see, in essence your passwords are stored in plain text on your disk (though the ~/.config/chromium directory does have 0700 permissions). I won’t go into the reasons why Google hasn’t implemented this feature yet since people can read the bug, but it seems clear that:

  • Google is not going to fix this anytime soon
  • People need a way to protect themselves

There are some alternatives with LastPass and RoboForm, but these apparently require you to store your passwords online (I’ve not verified this personally). As it stands, there is not a way to lock your saved passwords, so I encourage Chromium users to encrypt their data using eCryptfs or LUKS full disk encryption so that at least when you turn off your computer the passwords are not readily available. In Ubuntu, you can:

  • setup LUKS full disk encryption using the alternate installer
  • setup an encrypted home directory in all the Desktop and Server installers (or migrate an existing home directory by using ‘ecryptfs-migrate-home’)
  • setup an encrypted private directory using ‘ecryptfs-setup-private’ (if you go this route, you’ll want to move ~/.config/chromium and ~/.cache/chromium into the encrypted directory and use symlinks to point to them)

In this scenario, normal DAC permissions will protect your passwords on multiuser systems (though you’ll need to be careful about the security of backups) and encrypted disks/folders will protect them in the case of theft. As always, please be vigilant about screen locking when you leave your computer while logged in though….


1. Emanuel - May 18, 2010

hm, as i tested your command snippet, i got an error:

$ echo ‘SELECT username_value, password_value FROM logins;’ | sqlite3 ~/.config/chromium/Default/Web\ Data | grep -v ‘^|$’
Error: near line 1: database is locked

Does that meen there is a user/pwd to access this db? I don’t know much about sqlite3.

jdstrand - May 18, 2010

You will have to either close chromium if it is open or copy ‘Web Data’ to /tmp and do the operation there.

2. Emanuel - May 18, 2010

my version is exactly the same as yours: 5.0.342.9 (43360) Ubuntu

3. Alex - May 18, 2010

There is a standard D-Bus interface for interacting with a service that stores secrets. gnome-keyring-daemon already seems to support it. I really hope that Firefox and Chrome/Chromium will both switch to that once KWallet supports it.

4. Huygens - May 19, 2010

There are several tools to keep your passwords safe locally (like KeePass which can also run on Linux).
Firefox is cool because you can safely store your password locally, and by using Weave, you also do so online (so they can be synchronised).
For other browsers, it is safer to use 3rd party application that do encryption.

5. Ludvig - September 16, 2010

Actually, Chrome does have support for gnome-keyring already (at least in my version: 6.0.472.53 (57914) Ubuntu 10.04). Just start it with the flag –password-store=gnome to use it. That will enable use of the keyring, and also migrate existing passwords there.

See: http://groups.google.com/a/chromium.org/group/chromium-dev/browse_thread/thread/814d112acb8944c2?pli=1

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: