Make kwalletmanger5 a full secuirty manager

uubix · April 7, 2023, 2:11pm

It will be great, if kwalletmanager5 will be a full featured security manager, supporting following features:

Supporting storing the Key inside of Nitrokey/Yubikey
Supporting hotkey to be able to easily search a user and password and copy it directly in e.g. the Falkon as well in the Firefox login dialog
Supporting TOTP and HOTP via hotkey to enter the full login information on any client
Be able to sync/import/export (Plasma) Pass and keepassXC
Some future features to be opened with the login key, no need to enter an dedicated GnuPG phasphrase

What do you think?
Which features do you miss or you would also be happy if they are available.

jackh · April 21, 2023, 10:07am

I agree mostly, but I would be wary of storing OTP codes and passwords together. You should choose to lock the OTP codes and passwords inside separate vaults with separate passwords.

The reason is that the OTP is a form of 2-factor auth, and hence should be kept separate from your main password. If passwords and OTP codes are stored together and an attacker gains access to this information, then the OTP codes are effectively moot.

uubix · April 21, 2023, 8:43pm

You are right. But it should not mandatory only one app, but something like a framework.

Especially if you have a PC with TPM or NitroKey/Yubikey or Chipcardreader or similar you are able to have secure storage.

E.g. if I press Hotkey A or B it should open A) the Password Store or B) the 2FA and can easily and secure include the related key.

tracyanne · April 21, 2023, 9:53pm

I don’t like the idea of the login key opening anything in the Wallet, because I I walk away from my computer, forgetting to lock it, someone can dive in and access my passwords.

That is one of the things I dislike about the ‘wallet’ system on GNOME desktops. I always installed Kwallet on GNOME desktops, so I could have a separately secure Wallet.

uubix · April 22, 2023, 7:43am

This is a topic which should be configurable.

But I lock always my PC if I left them (training due to a law in our company as HW privacy and security respnsible). Additional you can use your smartwatch or smartphone via BT, to lock the wallet.

If you have a HW token like a Nitrokey/Yubikey it is an good Idea to only temporary connect them. Also it is possible to use e.g. KDE Connect to be the enabler if no other HW token is available (so you need to enable the wallet via a real second factor!

The benefit will be that no other Desktop have in the moment a really full security concept integrated. Especially the combination from SmartPhone with KDE-Connect and a desktop app is very interesting, so no additional HW will be required!

rokejulianlockhart · April 22, 2023, 9:18am

There is sensible precedent for this. Windows uses their Credential Manager – accessible from control, since it’s a .cpl CLSID – for both Internet Explorer and Microsoft Edge (UWP and Chromium) in order to not duplicate the credential store.

For small projects such as Konqueror, Falkon, and Angelfish, having a single source of trust for credential storage is probably imperative to maintain security.

However, it might be even more important for KDE to implement something like Android’s

for automatic credential storage so that in the meantime, we can add support to already mature password managers.

uubix · April 22, 2023, 11:33am

I agree, but if the ‘framework’ is secure and well implemented, it shouldn’t be a big problem.

PS: Anyhow I don.'t love this company and products, Proton Pass implement a similar concept:

For me the ‘framework’ need to ensure a secure way without using an insecure copy and paste or a clipboard.