4

I just ran LaZagne on my Ubuntu desktop computer. It is a Python program that scans the computer to find passwords.

It found 14 passwords, and some of them are still active. I changed most of them. By running the program with option -v, we can see where the password are found.

All of the passwords are found with Libsecret. According to the GNOME wiki for libsecret:

libsecret is a library for storing and retrieving passwords and other secrets. It communicates with the "Secret Service" using D-Bus. gnome-keyring and ksecretservice are both implementations of a Secret Service

  1. What is this library? 
  2. How can I secure my passwords?
Improve this question

1 Answer 1

Reset to default
8

libsecret is working as intended. It might be the intention that is at odds with your use case.

The "Secret Service" allows a user to store, e.g., passwords in a way that they are easily accessible for the logged on user, but very hard to access by someone else.

If your computer is physically taken (while you are not logged in) or the hard disk drive copied, then the attacker must break some serious encryption to access your passwords, as he can't access them via D-Bus. If a web server running on your machine (under another user) is hacked, the attacker can't access your passwords via D-Bus, as they have the wrong login.

But if a program started by you running under your account requests it, the password will be easily accessible. This is why Lazagne was easily able to fetch them.

This allows for a compromise between security and convenience that is very often acceptable to the typical user, but it might not be acceptable for you. You can easily avoid storing your passwords in keyring or friends, by just not using the feature to store passwords, or by using software that is no integrated with libsecret.

Improve this answer
5
  • You can start keyring, this will give you a list of stored passowrds and keys, you just right-click to delete them from the store.
    – Eugen Rieck
    Commented Feb 24, 2020 at 9:32
  • Great. I purged all passwords. I feel better now. LaZagne now finds 0 passwords.
    – chmike
    Commented Feb 24, 2020 at 9:35
  • It does seam to get access to the two private keys I have. I can’t avoid this. The keyring application shows the private keys. But if I delete them, it deletes the id_xxx files from .ssh. Thankfully, I had a backup. LaZagna keep saying that it got the secret keys. But when I try to login on the remote server by using the key, I’m asked for the password.
    – chmike
    Commented Feb 24, 2020 at 10:47
  • Gnome keyring integrates with .ssh - if you want to avoid it accessing your keys, you need store them elsewhere. As an alternative you can set up a master password for keyring.
    – Eugen Rieck
    Commented Feb 24, 2020 at 10:52
  • After further investigation, LaZagne reports private keys that are protected by pass phrase as found passwords. Strange thing is that it doesn’t report a private key without pass phrase. Also, if I use ssh-agent, it doesn’t report the registered keys.
    – chmike
    Commented Feb 24, 2020 at 15:42

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .