Security - Password Security - Unlocked Keyrings

[germany]

Hi everyone,
I'm starting a new thread because of this posting here: viewtopic.php?p=803036#p803036

I'm a professional computer technician and I've built literally hundreds of machines with Windows and MX Linux for clients as well as businesses. I keep things as secure as requested/needed by a client. But for personal use I keep our personal machines fairly unsafe with login password disabled, screenlock disabled, etc. We don't sync any of our infomation with other computers, web browsers, and most important of all we don't sync anything to our phones. Our internet router uses a 20 character encrypted password (according to hacker conventions anything with 16+ characters/special characters is virtually hack-proof) and we use LAN cables as opposed to WiFi connections.
So my question is this:

Should anyone who uses computers as we do in our household, complete with password protection apps and never saved passwords in a web browser *STILL* make use of the password keyring, and why?

I'm hoping to turn this into a productive debate because different types of people and organizations require different levels of security. Windows does not have some weird keyring password function which causes a message to appear each time a web browser is opened, telling the user that a password key needs to be unlocked. So why does this happen with Linux? And no, before you tell me how terrible Windows is as far as security is concerned, I'll tell you that with decades of experience I have yet to have a single customer who's system got hacked, Windows or otherwise. UEFI has made a huge difference where security is concerned. So have encrypted password phrases with special characters. Where does a user stop worrying about security .... I'm talking primarly about individuals on machines with just that one user, nothing being shared or synced with other users or machines.

.

[fehlix]

What do you think is Chromiums master key for? Why do they need it?

[germany]

I'm sorry but in context to this thread I do not understand your question. I'm trying to find out how different people perceive security and how different people treat the matter. This has nothing to do with just the Chrome/Chromium keyring.

.

[CharlesV]

In today's environment I would never NOT have a password. The ability to loose a machine is too great. (And yes, I have been working with computers for 35 years and also built and support hundreds of computers - still do.)

The reason chrome is asking for passwords is because it wants to have the ability to manage your online passwords. ( bad idea imo ). and there are several way stop it fro asking.

https://easylinuxtipsproject.blogspot.c ... .html#ID15
( or a quick look around on the internet will tell you much more.)

As they say, your mileage may very ... if you have any interest in security then I would strongly suggest a) having a password to get into your computer, b) a second password to get into an encrypted password manager, and then c) use that password manager to handle everything else.

[germany]

Thank you. That makes perfect sense. Of course we have a password manager to manage everything away from the web browsers. Each machine also has it's own password. We just keep the password option disabled most of the time because truly, never ever, is anyone in our home who could muck around with our systems. Nobody. If there's any reason to have strangers or others in the house for a number of hours, then we enable our passwords for reboots, logons, etc. Doesn't take but a minute.
The machines that I build for clients all have passwords but now and then I'm asked to remove even that. At that point I mention the importance of security etc., but end up doing what the client wants. In the end they're responsible for their system, not me.

[Eadwine Rose]

Please click the checkmark in the top right of the post (to the left of the username/user image) that holds the solution to mark the topic solved, thanks :)

[germany]

Please click the checkmark in the top right of the post (to the left of the username/user image) that holds the solution to mark the topic solved, thanks :)

Hi. This post was actually supposed to trigger some debate / conversation about security. There's not really an actual solution to this since multiple different types of users have different opinions about their security ....

.

[davidy]

Whenever I open ungoogled-chrome's appimage it asks for the key and I ignore it. I haven't allowed a browser to manage passwords in well over a decade. I reinstalled light-locker recently and then quickly disabled it from startup as I, the only user, don't want to have to login every time the pc starts. But with ight-locker installed I can very quickly change that if needed. I have no idea what the actual keyring password is either and really dont care. I use password safe on every device I own. It works and I can easily share it's db without jumping through hoops or needing an addon or whatever.

[fan_of_LTS]

It's important to remember that with security one mistake can be costly. Even if you feel you have no reason to use a password manager or login password now, the practice is useful. Developing good habits can be helpful if your situation changes.

I don't use password managers in browsers either. KeepassXC works well for me. If you have good encryption and passwords don't forget to get good at backups too.

[davidy]

Isn't the right to privacy in the constitution? When we the people take that entirely back and enforce it we will gain all the security you never thought you needed. All the insecurities in everything will simply vanish as if by magic.