Hacker Newsnew | past | comments | ask | show | jobs | submitlogin

What's the alternative?

Even if it encrypts the password before storing them on disk, the encryption/decryption key are necessarily on disk anyways, no?



No.

You can use a master password to decrypt your encrypted password database.

Your operating system might have a keyring service or an encrypted filesystem you can use to store your keys in.

You might even use a hardware token, or some specialized on-board hardware for storing your passwords securely.


It's just a matter of time to find the right auto-fill form and replay the HTTP post data.


Every desktop environment that I'm familiar with (OSX, KDE, Gnome) has a built-in password manager to hook into, that stores the data encrypted and prompts the user for a master password in some configurable way. I'm guessing that if the OSX and Linux variations of Chrome get any traction, hooking into the password manager will probably be done.

I have no idea if Windows has a password manager, but I don't know why it wouldn't.


The OSX version seems to use KeyChain.


You can make the user enter a master password.




Guidelines | FAQ | Lists | API | Security | Legal | Apply to YC | Contact

Search: