Chromium saved passwords May 18, 2010
Posted by jdstrand in security, ubuntu.trackback
I make use of the Master Password feature in Firefox. While not on by default, when enabled this feature encrypts your Firefox saved passwords on disk, and Firefox will prompt you when you need access to a saved password. When your browser is not running, your passwords are safe. There is a tool to try to brute force your master password if your machine is stolen, but as long as you use a strong password you should be ok (or at the very least, give you time to change them). For more information, see http://kb.mozillazine.org/Master_password.
This is a nice feature, and one which Chromium lacks. If you let Chromium save your passwords, they are stored in the ‘~/.config/chromium/Default/Web Data’ sqlite database. Displaying them is surprisingly easy (this is 5.0.342.9~r43360-0ubuntu2 on Ubuntu 10.04 LTS, newer versions may save them somewhere else):
$ echo 'SELECT username_value, password_value FROM logins;' | sqlite3 ~/.config/chromium/Default/Web\ Data | grep -v '^|$'
username|password
username2|password2
As you can see, in essence your passwords are stored in plain text on your disk (though the ~/.config/chromium directory does have 0700 permissions). I won’t go into the reasons why Google hasn’t implemented this feature yet since people can read the bug, but it seems clear that:
- Google is not going to fix this anytime soon
- People need a way to protect themselves
There are some alternatives with LastPass and RoboForm, but these apparently require you to store your passwords online (I’ve not verified this personally). As it stands, there is not a way to lock your saved passwords, so I encourage Chromium users to encrypt their data using eCryptfs or LUKS full disk encryption so that at least when you turn off your computer the passwords are not readily available. In Ubuntu, you can:
- setup LUKS full disk encryption using the alternate installer
- setup an encrypted home directory in all the Desktop and Server installers (or migrate an existing home directory by using ‘ecryptfs-migrate-home’)
- setup an encrypted private directory using ‘ecryptfs-setup-private’ (if you go this route, you’ll want to move ~/.config/chromium and ~/.cache/chromium into the encrypted directory and use symlinks to point to them)
In this scenario, normal DAC permissions will protect your passwords on multiuser systems (though you’ll need to be careful about the security of backups) and encrypted disks/folders will protect them in the case of theft. As always, please be vigilant about screen locking when you leave your computer while logged in though….
Blog: jdstrand 
hm, as i tested your command snippet, i got an error:
$ echo ‘SELECT username_value, password_value FROM logins;’ | sqlite3 ~/.config/chromium/Default/Web\ Data | grep -v ‘^|$’
Error: near line 1: database is locked
Does that meen there is a user/pwd to access this db? I don’t know much about sqlite3.
You will have to either close chromium if it is open or copy ‘Web Data’ to /tmp and do the operation there.
my version is exactly the same as yours: 5.0.342.9 (43360) Ubuntu
There is a standard D-Bus interface for interacting with a service that stores secrets. gnome-keyring-daemon already seems to support it. I really hope that Firefox and Chrome/Chromium will both switch to that once KWallet supports it.
There are several tools to keep your passwords safe locally (like KeePass which can also run on Linux).
Firefox is cool because you can safely store your password locally, and by using Weave, you also do so online (so they can be synchronised).
For other browsers, it is safer to use 3rd party application that do encryption.
Actually, Chrome does have support for gnome-keyring already (at least in my version: 6.0.472.53 (57914) Ubuntu 10.04). Just start it with the flag –password-store=gnome to use it. That will enable use of the keyring, and also migrate existing passwords there.
See: http://groups.google.com/a/chromium.org/group/chromium-dev/browse_thread/thread/814d112acb8944c2?pli=1