Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Password Manager requires authentication only once and then reveals the passwords until application restart #32194

Open
AnK26-616 opened this issue Aug 11, 2023 · 2 comments
Open

Password Manager requires authentication only once and then reveals the passwords until application restart #32194

AnK26-616 opened this issue Aug 11, 2023 · 2 comments
Labels
OS/Desktop

Comments

@AnK26-616
Copy link

Description

To show the stored passwords, Brave Password Manager requires user authentication - which is good. However it asks for that only once. After user provides the credentials (e.g. via Windows Hello) all the passwords are accessible without any further authentication / prompt until the application is restarted. That leaves all the password easily readable for anyone accessing the computer. Closing tab, waiting couple of minutes, locking machine - does not affect that state. Once authenticated, Password Manager seems to stay in that mode forever. This issue is present only in the (Windows) Desktop version (1.56.20) but not in the equivalent Android one.

Steps to Reproduce

  1. Go to 'Settings'
  2. Choose 'Autofill and passwords'
  3. Click on any passwords stored there to reveal / edit it.
  4. If you have not done that before (since the app was restarted) you will be asked for credentials.
  5. Leave the settings tab or wait a few mins or close the tab or lock/unlock machine or both
  6. Repeat steps 1-3
  7. Brave will not ask for the authentication any more.

Actual result:

No specific screenshots can be provided. Passwords are revealed every time user clicks on them without additional authentication (assuming it was already done once for the "session").

Expected result:

Brave should ask for user authentication every time user tries to reveal any password or at least every time the Password Manager is accessed. Or simply put Brave Password Manager on the Windows desktop version should behave the same way as on the Android.

Reproduces how often:

Easily reproduced

Brave version (brave://version info)

Brave | 1.56.20 Chromium: 115.0.5790.171 (Official Build) (64-bit)
Revision | cf9067bf10d8f798c24643029af1d24e275646d6-refs/branch-heads/5790@{#1924}
OS | Windows 11 Version 22H2 (Build 22621.2134)

Version/Channel Information:

The Beta version of the Brave desktop (I think 1.57.20) browser behaves the same way. Nightly channel was not tested.
The production version of Android browser (1.56.20) behaves properly asking for permissions / user authentication every time the password is displayed.

Other Additional Information:

Shields, rewards do not seem to impact this issue at all.

Miscellaneous Information:

None
@AnK26-616
Copy link
Author

For the 'Expected results' - the solution might be also to create an option to define after how many minutes the Password Manager is locked. The same way as it is implemented for Brave Wallet.

@AnK26-616
Copy link
Author

Plus one more update: Brave seems to properly "forget" the credentials given to open Password Manager after long time (long means e.g. next day). Still when tested in "lets try after 10 minutes" mode - it does not work properly as described.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
OS/Desktop
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AnK26-616