7twenty

No verification in Passkeeper using Guest account

7 posts in this topic

Posted (edited)

Was brought to my attention that there's no user verification when accessing Passkeeper using a Guest account. Assuming you have access to an unlocked device and can open Maxthon, someone may potentially have full access to all of a users passwords.

As far as i'm aware it's been like this since MX3, possibly earlier, but after digging around it seems other browsers do have security checks for guest accounts.

Other browsers (in order of best to worst implementation):
Chrome & Opera (and probably all Chrome clones?) ask for the users windows password to verify before showing.
Edge manages through the Control Panel>Manage web credentials, requiring the users windows password before showing.
Vivaldi doesn't show passwords at all, so you can't really manage them. (best in regards to security, useless for management)
Firefox hides them by default, with an option to show with no verification - unless a master password has been setup.
MX hides them by default, with an option to show with no verification.

Will be nice to hear a response as to why MX has opted for none, and if it might be an option to add at some stage.

In the case of the Chrome/edge options, it's a system level verification, in that if you know the password to access the system you'll still get access to the passwords. Given the way it works having an extra verification offers no extra security over locking the user account when not in use. Regardless it's still more secure than having nothing.

Edited by 7twenty
revised Firefox implementation
2 people like this

Share this post


Link to post
Share on other sites

Nothing is safe if i enter your computer i will stole all your passwords encrypted or not

Share this post


Link to post
Share on other sites
4 hours ago, karajan said:

Nothing is safe if i enter your computer i will stole all your passwords encrypted or not

So don't bother with any sort of security?

If you can't access my computer then you can't get anything, which is what was stated in the last paragraph. What the extra verification does is stop anyone that shouldn't have access to that system accessing MX passwords. If they don't know the password for the user account, they won't know the password for the extra verification.

Share this post


Link to post
Share on other sites

Posted (edited)

4 hours ago, karajan said:

Nothing is safe if i enter your computer i will stole all your passwords encrypted or not

Another thing is what you can do with them :-)

It is true that any encryption can be broken, as long as you have time and resources, and depend on the encryption you have, which takes a few minutes or several years and many resources

And as it says  @7twenty, so that bother to have lock at home, or in the car, if total, all can be opened.

 

12 hours ago, 7twenty said:

Firefox is the same as MX, hides them by default, with an option to show with no verification.

 

I think at least you can put a master pass

Edited by pantantrollo

Share this post


Link to post
Share on other sites
23 minutes ago, pantantrollo said:

I think at least you can put a master pass

Yep, just checked. Have updated the OP.

Share this post


Link to post
Share on other sites

I have always asked for security in several times my friends. :(

Share this post


Link to post
Share on other sites

Reported to the product team as a request. :Smiling_Face_Emoji_with_Blushed_Cheeks_42x42:

Share this post


Link to post
Share on other sites