I re-read the ‘before you post’ bit and realized that I once took a topic in a different direction Password protect browser and may not gather attention and thought it was necessary to re-post it as an issue citing the concerns so users can also weigh in on the matter.
I had and I have a few concerns, a couple of issues and a hand full of questions regarding the Built-in password feature.
I’ll begin by saying again that the kind of information that is visible and available as it is in about:passwords is slightly worrying, personally I think it could be severely damaging if the browser/PC was ever compromised or confiscated having already logged-in to the desktop.
After 1.0 when quite a lot of people begin using Brave more traditionally and don’t usually store passwords in other kinds of password managers and are prompted to do so Brave’s Built-In version, they too may consider this to be a detrimental factor which is why I created this topic/issue.
I’m sure you’re not hypocritical and that the brilliant team around you must use the products yourselves but I find it incredibly dubious that the team would ever think of leaving your PCs behind with the browser open or closed when all anyone has to do is enter about:passwords to retrieve information which can be used to either incriminate or be detrimental to an individual in general.
I offered a suggestion of designing it like the iPhone and enhancing the security in the form of a repetitive authentication stand point by allowing users to create a simple password like the iPhone for the browser (for the current Built-In feature and future features) which would effectively be applied whenever a password of any kind on a website is required.
So on every website that a complex password has been created, GitHub, Email and so on, users can see the main password (**********) is set on the password bar (usually behind a yellow parameter) but the browser immediately prompts the user to enter the master password (*****) manually ever time, which in turn would automatically enter the main password for that site.
However, if the password isn’t entered incorrectly, the website can’t be accessed at all, nor can the main about:passwords be completely visibly (blurred preferably) unless the correct password (pin) is entered.
I think this will also be another excellent factor of Brave as I don’t think a single browser has even contemplated this as an option, where by an entire website is either is blocked unless the main pin is entered or eliminates the Built-In password feature on that website altogether if the input is incorrect or disregarded when promoted. It should be noted that these two options are of course dependable on the fact of a pin being created and a users choice of course when the options for it are created, once (hopefully not if) the feature is finally implemented and enhancements/recommendations are taken into consideration.
Perhaps in about:preferences#security you can input ‘PIN’ above ‘Data Privacy’ and under this you allow Security - Payments - Extensions (and future security orientated features/technologies) essentially making it invisible to guests and un-entered pin users (if that makes sense) once the password (pin) has been set for the browser. Please don’t think it to be like Googles account sign-in method to sync data, this would be more simple and anonymous with no internet connection required, so sort of working like a client side encrypted container.
Personally, I would like it if you allowed Security - Payments - Extensions in about:preferences to be untouchable/invisible without the browser pin being entered depending on how you implement the PIN feature to work.
I sincerely believe this multiple layer of security can be of great benefit to the crypto-currency, password management, the whole browser technology side of things, especially the user.