Secuity vuln: plaintext passwords (no ‘master pass’)

I believe it’s fair to classify this as a bug.

Passwords in Brave are stored in plain text, arbitrarily readable by anyone with access to the browser. Firefox addresses this by encrypting site passwords behind a ‘master password’

Presumably this security hole has gone unplugged in Brave for so long because it requires some nontrivial overhaul of the underlying Chromium?

Please address, thank you

No they aren’t. The only time you see it in plain text is if you export passwords. If you go look at your passwords in the file location, they are encrypted.

Passwords are encrypted using your OS keyring. In other words, the password you use to use your device is what keeps it secure. If you try to go into your password manager, you’ll see they have to put in your OS password to view anything.

This here is your problem. Your user accounts should be password protected and never be logged in. You also shouldn’t be giving anyone access to those accounts. Why are you giving anyone access to any device and/or user account that has your personal information on it? That should only be done if you trust them.

And as to this point, it’s been addressed many times and already has existing feature requests. For example, below:

  • Noted re not being stored as plaintext.

  • Ubuntu does not prompt me for a system password to see my saved Brave passwords in the manager.

  • The user is not the problem. There are numerous scenarios where a non-primary user may have access to a machine with Brave on it. Even if one trusts that person, it doesn’t mean you necessarily want them to be able to see all your passwords. Seems like a no-brainer from a security standpoint.

  • Re issues on this being raised in previous years, clearly there’s demand from the community, and a major competitor has had this basic feature for years… so why the resistance to implement?


1 Like

As far as I remember from any conversations that have been had on the topic, this generally should not be the case. I’m also not familiar enough with Linux so I hesitate on what I say but I do know people have complained about how they had to have KDE set up For Brave to be able to save their passwords or even to allow them to sync password between devices.

What I am going to do is tag in @Mattches so he can see what you’re saying about being able to see all your passwords within password manager without it ever asking for your password or anything. And if I’m mixing anything up hopefully he’ll correct me. Especially if there’s anything different for how it works on Linux compared to Windows and other operating systems.

But could you also do a favor and respond with the information as requested below?

  1. What version of Brave are you using?

2 Which channel did you get Brave from? I mean, is it from Brave’s native repository, Snap, Flatpak, or what?

Thank you

Version 1.65.123 Chromium: 124.0.6367.91 (Official Build) (64-bit)
from main Release Channel

1 Like