'[Bug 149403] New: Wallet should require re-authentication before'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kde-bugs-dist
Subject:    [Bug 149403] New: Wallet should require re-authentication before
From:       Jasper <jasper.noid () yahoo ! com>
Date:       2007-08-31 2:48:41
Message-ID: 20070831044838.149403.jasper.noid () yahoo ! com
[Download RAW message or body]

------- You are receiving this mail because: -------
You are on the CC list for the bug, or are watching someone who is.
         
http://bugs.kde.org/show_bug.cgi?id=149403         
           Summary: Wallet should require re-authentication before revealing
                    passwords
           Product: kwalletmanager
           Version: unspecified
          Platform: unspecified
        OS/Version: Linux
            Status: UNCONFIRMED
          Severity: wishlist
          Priority: NOR
         Component: general
        AssignedTo: staikos kde org
        ReportedBy: jasper.noid yahoo com


Version:           1.1 (using KDE KDE 3.5.6)
Installed from:    Unlisted Binary Package

At the risk of causing offense, I want to bring to renewed attention the issue that \
was worded differently in Bug 80063 some 2 years ago. At the time the point was made \
that the wallet shouldn't show the passwords in plain text. I'd like to rephrase the \
issue in the hope of convincing someone that this is worthy of attention.

In my opinion (and also in the opinion of a commenter on the original bug), the \
wallet should require *re-authentication* before showing the passwords. I believe \
re-authentication before exposing security settings to be a fairly standard practice: \
Yahoo mail, for example, requires it before allowing a password change.

The issue is that without the wallet requiring re-authentication, leaving one's \
desktop unlocked becomes an unneccesarily great liability. If I leave my desktop but \
the wallet requires authentication, a malicious party with physical access to my \
computer can essentially access anything that my wallet allows access to - but only \
for the duration of my absence, because he/she will have to scurry when I return from \
my coffee/bathroom break. However, in its current form the wallet doesn't require \
re-authentication before revealing account details, so now the evil party can open up \
my wallet, jot down the account details and take off to later abuse my accounts at \
his leisure from the comfort of his home - without me even knowing it.

To be frank, this risk is too great for me. Yes, obviously I should lock my desktop, \
but to forget is only human. I don't think it is reasonable to justify leaving a \
security issue unaddressed just because users with perfect unfailing memories aren't \
affected by it. I am frankly a bit suprised that the original bug was rejected, \
especially because it seems the re-authentication I am proposing here would fix it in \
a clean and simple way. Also I don't get the point made in the original bug that for \
any scheme there is a 30-second hack to counter it; what 30-second hack circumvents \
re-authentication?


[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic