When Will There Be A Master Password?

Please implement the Masterpassword-to-unlock feature. As I can see there are a lot of users who wish to have that also. I even was asked by a user I presented the browser so this is clearly missing for a security oriented browser :slight_smile:

5 Likes

This is a good hint though this does not prevent a user from logging in to any sites which Brave has stored passwords for. The only thing which prevents that is either not having those passwords saved in Brave or having a Master password which needs to be typed in before the passwords gets inserted in the Websites. Right now it is possible to just go to a site and the passwords will be available to login (hidden behind bullets, though I am not sure if certain “bullet unhider” programs might help with this problem :smiley: )

3 Likes

In the meantime, LastPass has been the best solution for me, but hell yeah, a Master Password storing local data lined by Brave Sync, all of them native brave apps.

3 Likes

@fmarier I wanted to tag you as I think this subject is your forte. Hoping you can give input later on if this is a possibility or why it can’t/shouldn’t be available. I know you commented on something similar in the past, but I guess since it keeps resurfacing and this thread been discussed since 2019, albeit with few comments, it makes me a bit curious if it’s a viable feature?

2 Likes

We do have an issue open for this feature request:

I definitely understand the desire for this kind of feature. In fact, a lot of people are using external password managers for that very purpose.

There are two main challenges with implementing such a feature in the browser:

  1. The user experience is tricky to get right. The Firefox equivalent for example has gone through several iterations and has never been something that the design team was happy with as far as I know. There are also some considerations around phishing.
  2. In order for the master password to be useful/effective, the password database needs to be encrypted at all times while the browser is running (except when auto-filling the password). I have not looked at the Chromium code, but I suspect that it assumes that it can read from the password database at all times and changing that assumption without breaking anything might be tricky.

So it’s not something we’re opposed to doing, but it’s also not a quick one.

6 Likes

I think Brave is seriously lacking a key privacy feature which is password locks for profiles.

These password/pin locks are perfect for if you work in shared housing and you want to keep all of your private accounts behind a profile with a lock on it so nobody can touch them or see them.

I’m also not the only one who wants this feature. There are multiple posts made by other users on this forum that have made posts requesting this feature, but their posts were met with no response.

Please add this feature to Brave.

1 Like

It has already been explained this kind of feature is extremely hard to implement correctly at the browser-level. If you have several people using the same computer at home, the best thing is to have a different OS profile for each of them.
If you have really sensitive info, use your browser in portable mode.

Not really what I was asking. I’ve seen the alternative methods and they do not work for my circumstances. I want a pin/password on my profiles, I’m requesting a feature.

It was what you’re asking, you just aren’t happy with the answer.

So your answer is similar to what he mentioned there. Whether it’ll come out or not is yet to be determined, but there are challenges with it.

Mainly because people duplicate the same requests and it gets tiring saying the same answer(s) over and over. Eventually you just stop replying and hope someone else refers to the answer or the people learn to search through for answers. And yes, searching for answers gets difficult when there’s the amount of people who post without searching first…which then leads more questions that end up hiding the answers/replies.

That’s what Users are for on the OS. So you’d have one User account for each person. If you want to have a joint User where everyone can access all your files, then you’re never going to be fully secure. You’re saying there can be a fake layer of protection by having a username/password, but all of the information is actually stored on your device. So anyone wanting it just would go to your \brave-browser folder and grab any of your information from there, even with a locked profile.

In any case, they have open projects and may consider for the future.

NOTE

And yes, I get it. You’re saying wish would have it similar to how Brave Wallet is set up, where password is required. There’s many differences and reasons why it can’t be done, part of which I mentioned above, but at least wanting to say I understand what you’re saying.

You have already been told this is no doable. Google had it in Chrome for many years but never managed to get it working correctly so they ended up ditching it, they only kept it on Chrome OS because… it was handled by the OS. Do you think Brave can do better?

1 Like

I just want this to be added so Brave beats Firefox in https://www.mozilla.org/en-US/firefox/browsers/compare/

1 Like

It should apply on mobile as well… Imagine the enhancement on security if your master password works across all platforms!

1 Like

Quote from fmarier:
" There are two main challenges with implementing such a feature in the browser:

  1. The user experience is tricky to get right. The Firefox equivalent for example has gone through several iterations and has never been something that the design team was happy with as far as I know. There are also some considerations around phishing.
  2. In order for the master password to be useful/effective, the password database needs to be encrypted at all times while the browser is running (except when auto-filling the password). I have not looked at the Chromium code, but I suspect that it assumes that it can read from the password database at all times and changing that assumption without breaking anything might be tricky."

#1) USER EXPERIENCE: For years, I used the FF master password with absolutely NO impact on my “user experience” (except from the warm and fuzzy feeling that I got knowing that my passwords and logins WEREN’T HELD IN AN UNENCRYPTED DATABASE VISIBLE TO EVERYONE WHO WANTED TO SEE THEM).
Also, a comment on the phishing concerns. If someone is too ignorant to fall for a phishing attack, then perhaps being online is not for them.

#2) Why would any browser need to read from the password database AT ALL TIMES? At logins, sure, but why the need for “all times”?

Quote from fmarier:
“So it’s not something we’re opposed to doing, but it’s also not a quick one.”

Yes, apparently not “a quick one”, judging from the original request being made THREE YEARS AGO (and still counting).

2 Likes

Brave autofill feature is great, but is a potential security risk. Please, add an autofill master-password option – selectable in settings. If selected, a master password would be required when the browser launches and would unlock auto-fill. Without the password, auto-fill would be grayed out and completely inaccessible. This would make Brave’s autofill feature secure.

2 Likes

I believe this is exactly what helped immensely the guy who hacked me last week and stole few of my accounts. He used my saved passwords from Brave. He started logging in in exactly the sites which I had saved in Brave.
In that moment I was also using Firefox where I have many passwords but it also has a complicated master password and those accounts didn’t get stolen.
Can’t believe Brave is so unsafe!

1 Like

New user and completely stunned that a browser whose entire value prop is safety omits this feature.

1 Like

Passwords are encrypted. Only way to access is if they have your OS password.

I would guess the standard user starts off with saving passwords on their browser. (Password managers are best but a major 1 has already been hacked). So another layer of security should be more important here.

When I started doing my research and becoming very concerned about security. I got away from google to go to Brave. The security and privacy features are what interested me, the get paid for ads with B.A.T was a small bonus but had nothing to do with my decision. I know ever person is different and wants different features. To me it just seems a lil more important than having yet another wallet that imho is really useless if you already have a good wallet.

And to elaborate The last thing I ever thought I would be asked to create when I joined brave was another wallet. Especially when the wallet and the b.a.t. aren’t connected. You have to create a 2nd from only uphold (which took over two weeks to reply 1 time to my issue) or Gemini. I have always believed in security practices like Reducing your Online Footprint by not signing up for unnecessary things. signing up for 2 more wallets doesn’t sound like a secure feature. And The two choices you have are not what I would consider very popular wallets so yet again you’re creating a second wallet to what you may already have. just to add it to your brave wallet. The wallet is a Noncustodial wallet which is not a bad thing but imo its unnecessary for a browser that’s states “Brave has the strongest privacy & security protections of any popular web browser.” There are plenty of well reputable noncustodial wallets out there already. Would be cool to see features developed that go back to brave’s Roots. I definitely am not here to offend anyone, I’m just a user who only cares about privacy and security. Hopefully we don’t go many more years talking about a feature which you can find elsewhere.

It seems that even though most users feel this browser should have been built on a feature like this and lots of comments I have read in community say its more important than recent “features”. it seems like the few support responses are reasons why it’s not needed, instead of One more layer of security (especially for the average user that saves passwords here). I don’t know I guess security and privacy features haven’t been on the devs minds recently or maybe I have missed it.

Even though Firefox had this feature for years with weak encryption they finally did something about it but it’s been out for over a decade and it’s still just a request here. I guess they rolled out an extension in 2018 to improve the master pass so doing something is better than nothing with such a popular request that’s been active for 4 years now.

bleepingcomputer.com’s Catalin Cimpanu quoted:
The optimum solution, according to Palant, would be if Mozilla engineers would employ the Argon2 library for hashing passwords instead of SHA1.

Goodwork on the main parts of this browser though.

My guess - you’re referring to Lastpass. Yes, Lastpass experienced a breach, but - this is critically important - I’m unaware of any user data the breach compromised.

Which leads to: third-party password managers provide what’s being requested in this thread, and they do it without tethering the user to a specific ecosystem.

1 Like

They aren’t the only ones. I had linked to these a while back. Perhaps you want to check them out.

Might also want to check out https://arstechnica.com/information-technology/2023/02/lastpass-hackers-infected-employees-home-computer-and-stole-corporate-vault/

The hacked DevOps engineer was one of only four LastPass employees with access to the corporate vault. Once in possession of the decrypted vault, the threat actor exported the entries, including the “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

Also rephrased at https://www.kiplinger.com/personal-finance/lastpass-hack#:~:text=Risks%20for%20LastPass%20users,of%20your%20entire%20password%20vault.

Update: LastPass’ data breach woes continue…In a March 1 update, LastPass announced that the hacker behind the previous breach (August 2022) has hacked a senior engineer’s home computer and obtained access to a critical corporate vault available to only four top employees.

The vault gave the hacker access to a cloud-storage environment that contained encryption keys for 30 million customer vault backups stored on Amazon web servers, as well as “decryption keys needed to access the AWS S3 LastPass production backups, other cloud-based storage resources, and some related critical database backups.”

So, to recap, one hacker or hacker group now has encrypted copies of every LastPass customer’s password vault, along with the most sensitive internal company secrets and digital access credentials.

2 Likes