Security: why could brave import Chrome's password w/o any password input from the user

I am new to brave. On Windows, when I click import setting from chrome to Brave, it just worked and my password is copied to Brave without any prompt for system key. How does it work and does it mean the key storage is accessible to all the softwares on my computer?

1 Like

Yep, the login infos are normally stored in the “Login Data” database file here:

%APPDATA%/../Local/Google/Chrome/User Data/Default

The passwords are encrypted, but any app on your local machine can decrypt them.

Thank you for your reply. You said it could be decrypted by any app. Does it mean that the key is accessible or the encryption algorithm is totally broken?

After some experience this starts making sense to me. As in linux many of the private keys are stored as files, it is just unavoidable that local running applications could read the key storage. Unless some system-level prevention is done but anyways they could only mitigate but not remove the risk.