Are passwords stored in plaintext?

Chocoholic · May 13, 2022, 12:44am

I think passwords are viewable in plain text at brave://settings/passwords but are stored encrypted. Brave decrypts the passwords when you are using the browser. There is a Brave GitHub issue report relating to implementing master passwords for Brave that has some interesting information about password encryption that you might want to look at.

github.com/brave/brave-browser

[Feature Request] Master password for Brave desktop versions

opened 05:14PM - 31 Dec 20 UTC

roeizavida

feature-request OS/Android OS/Desktop

As discussed in Brave community ([73627](https://community.brave.com/t/when-will…-there-be-a-master-password/73627) and [127332](https://community.brave.com/t/why-is-there-no-master-password-feature/127332)), I would like to request a master password feature for the desktop versions (similar to Firefox). Master password is a very important feature for a privacy focused browser, and it is very important to separate it from the operating system password as it can be hacked easily if the OS disk is not encrypted which is the case for most users. This is also an important factor in protection of the saved information (such as payment methods and passwords) as well as the accounts that are logged and remembered by sites. I can see that this feature exists in iOS (although it is limited to a 6 digits passcode) so it is only makes sense to add it to the desktop versions as well (but with the ability to use a much more complicated password).

I think this comment might help answer your question:

fmarier commented May 11, 2022

How does Brave provide encryption at rest for the userdata?

That does depend on what you mean by “rest”. It’s a little bit like data is encrypted at rest on a hard drive. It’s encrypted when the computer is off, but it’s not encrypted when the computer is on and you’re logged in and it’s also typically not encrypted when the computer is suspended.

In the case of Brave, it’s encrypted at rest when “rest” is defined as “you’re not logged in”. We use the OS keychain / keyring to automatically encrypt/decrypt passwords, cookies, etc. based on a key that is unlocked when you login.

If you want another layer of encryption, i.e. you want the browser to “rest” more often than that, then you need something else:

Third-party password managers will typically lock (i.e. it’s no longer decrypted in memory) the password database after a few minutes of inactivity, even when the browser is still running.

Firefox will unlock the password manager, cookie store, etc. at browser startup if you configure a master password. Then it will keep it unlocked until you close the browser IIRC.

If you want #1 now, then you can use a password manager. If you want #2 now, then you’d need to put your browser profile directory on an encrypted drive. On Linux for example, you can use the cryptmount command. I’m sure there are equivalents on Mac and Windows.

Both #1 and #2 increase the amount of time that the browser is “resting” for the purpose of not having the data be decrypted. They are definitely both valuable and it would be great to have them integrated in Brave, but I can’t give you a timeline for this since these are not quick fixes.

The post below is from a topic related to master password implementation. It addresses challenges to enabling the password database “to be encrypted at all times”:

Hope this helps!

Topic		Replies	Views
Secuity vuln: plaintext passwords (no ‘master pass’) Brave Feature Requests privacy , browser , design , feature-request	4	177	May 16, 2024
I can't find details about password storage security Feedback privacy , feature-request	3	1805	November 25, 2019
Where are saved passwords stored? Browser Support linux	3	6257	April 16, 2021
Information about the Password Manager	7	3088	September 1, 2023
Passwords in Brave Desktop Support windows	3	3630	June 21, 2023
Enabling 1password & Is it safe to store your password in brave browser? Beta Builds	10	4509	February 4, 2022
Wanting better saved-password security with Brave's built-in manager Desktop Requests	4	1051	August 2, 2019
Security: why could brave import Chrome's password w/o any password input from the user privacy	4	911	July 29, 2019

Are passwords stored in plaintext?

fmarier commented May 11, 2022

Related topics