Password management is BEWILDERINGLY non-secure!


My jaw is on the floor…I just noticed that anyone can simply open Brave preferences, go to “manage passwords”, and copy ANY password from the list with a single click. That password can be used to access any account that Brave has ever managed, and can be pasted as visible text into a document to reveal the password characters. There is no master password required to access this complete list of every password with every login name for every website Brave has managed. Anyone who takes custody of my computer can simply use Brave to copy, reveal, and use every single password! Simply using Brave makes us vulnerable to catastrophic identity theft and fraud if anyone simply opens Preferences and is allowed to enter the password management option without any security whatsoever.

Just to be sure it really is as bad as I suspected, I used iClipboard to watch in real time as each password I clicked became “live” unconcealed text in RAM.

FWIW, I found previous bug reports on exactly this issue going back to 2017, which means this hasn’t been addressed at all, leaving Brave users wide open.


Jaw No. 2 hits the floor with a clunk. I have just verified the truth of your contention about this unsuspectedly insecure feature of this trying-to-be-secure browser (which I have been using for a few weeks now). In this regard it seems to have roughly the privacy level of the self-defeating “Cone of Silence” on the 1960’s “Get Smart” show.

I remember seeing the passwored list after first opting to use password-management & unthinkingly assuming that the row of dots were safely just that, resistant to decoding.
I also seem to remember, though, that there were several different types of p.w.-mgmt. to choose from, in ascending order of security (& set-up complexity). I chose the simplest one until I could get more familiar with Brave. I can no longer find these alternate options to see if they’re less ridiculously insecure. Uh-oh – Mandela effect!! (Or more likely I’m confusing Brave with one of the other browsers I’ve tried over the past few months – does Opera have this kind of choice?)
Anyway, this copy-&-paste decoding method is plenty ludicrous, even a trifle fishy.
I don’t want to have to start wondering if Brave is just another spooky surveillance mechanism disguised as the alternative to that nefarious (& ubiquitous, alas) kind of thing. Cheers!


Just noticed the numerous other threads about this matter,
e.g. Master Password
Seems to be a pretty well-known issue, and evidently there
are external-app practical work-arounds until something is
implemented in the browser itself.

closed #4

This topic was automatically closed 60 days after the last reply. New replies are no longer allowed.