Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[Feature Request] Master password for Brave desktop versions #13350

Open
roeizavida opened this issue Dec 31, 2020 · 47 comments
Open

[Feature Request] Master password for Brave desktop versions #13350

roeizavida opened this issue Dec 31, 2020 · 47 comments

Comments

@roeizavida
Copy link

As discussed in Brave community (73627 and 127332), I would like to request a master password feature for the desktop versions (similar to Firefox).

Master password is a very important feature for a privacy focused browser, and it is very important to separate it from the operating system password as it can be hacked easily if the OS disk is not encrypted which is the case for most users.
This is also an important factor in protection of the saved information (such as payment methods and passwords) as well as the accounts that are logged and remembered by sites.

I can see that this feature exists in iOS (although it is limited to a 6 digits passcode) so it is only makes sense to add it to the desktop versions as well (but with the ability to use a much more complicated password).

@roeizavida roeizavida added OS/Android Fixes related to Android browser functionality OS/Desktop labels Dec 31, 2020
@LorisTecnology
Copy link

also with a fingerprint login would be great

@trev-dev
Copy link

trev-dev commented May 5, 2021

I currently use Bitwarden as my password management solution and it has everything we need here. Not to distract from Brave getting the same features, I feel like Bitwarden is a great model to look at.

https://github.com/bitwarden

@Brave-Matt
Copy link

+1 from Community:
https://community.brave.com/t/braves-login-pw-functionality-is-really-not-working-for-us-and-free-is-not-working-for-us/253396/5

@KamilSJaron
Copy link

yes please

@doodaddy64
Copy link

I'm in the middle of moving my password management to Brave and this feature would be important for me to go all-in. Basically, if I'm going to have Brave fill in a bank or other financial password, I'd like to be asked for a master password first (similar to LastPass).

@snakysnake
Copy link

I want a master Password too. This is an important feature to add as you want your customer to see how you value their most sensitive information!

@zv09
Copy link

zv09 commented Jan 3, 2022

Agreed.. I am using BB for my desktops at home and at servers on my projects for syncing some data.
There are another admins can gettin an access to admin console and get inside my brave browser settings and data..
Master Password to lock entire profile or browser at all is a critical necessary feature must be as soon as possible, and even more so if crypto-things on developing inside the BB...

@karimalishamsi
Copy link

I want a master Password too. This is an important feature to add as you want your customer to see how you value their most sensitive information!

@REVENTOR-EU
Copy link

Would be a great feature.

@mazispider
Copy link

plz include master password for brave browser

@jondaley
Copy link

jondaley commented Feb 3, 2022

As Francois mentioned in the community discussion (#73627), Chromium might expect to have access to the password database all the time, but simply adding a master password when Brave starts shouldn't have too many side-effects like that? Then as long as I close the browser, I know my passwords are secure.

That is how I use it on Chrome, and it works pretty well, I think. I do wonder about malicious extensions being able to get to it after the master password is typed in, but I'll try to not install any... :)

@dspinhirne
Copy link

As others have stated, this is the "killer feature" for me that prevents me from using the browser as my primary. It would be good to take this a step further than firefox and have an "aggressive" setting for this that forced me to enter the password on each instance of login to a site (rather than just at browser startup).

@m77e4t
Copy link

m77e4t commented Feb 25, 2022

Edge (chromium) has just added master password on their beta channel.
https://docs.microsoft.com/en-us/deployedge/microsoft-edge-relnote-beta-channel#version-89077418-february-3
https://www.ghacks.net/2022/02/25/microsoft-edge-100-primary-password-support-and-pdf-thumbnail-view/ https://www.windowscentral.com/microsoft-edge-beta-testing-out-feature-improve-browser-security.

They already had an indirect master password feature, where the user is asked to input his Windows password as master password (opt-in). Microsoft integrated Edge with Windows security and both of them used the same password. But, now they added a dedicated master password for their in-built password manager.

https://invidious.kavin.rocks/watch?v=G6zGupsRwNQ&nojs=1 The video from Microsoft lists their previous features (which are pretty good). Firefox also has a really great password manager along with their Firefox Monitor (which gets its data from Have I Been Pwned).

Brave is way behind in this important department; as regular users normally use the in-built browser's password manager rather than a dedicated password manager like Bitwarden, 1password, LastPass etc (usually they do not know that such products exist).

@Kunalgroy
Copy link

Though Bitwarden, 1password is a very alternate solution as of now, but now-a-days we create multiple profiles everyday in different websites majority of them could be junk or one time use. So having a built-in safety in the browser helps a lot. Also with Brave Sync option the browser data is shared in my Andorid phones, Windows PC and Ubuntu Laptop. We can secure the android app with fingerprint. But the saved password remains vulnerable in PC/Linux systems. Hence Master Password / Primary Password is very much needed with the Brave.

@B1773rm4n
Copy link

I recently switched fully from Firefox to Brave. Now I found out that this essential and necessary feature is missing. Guess it was a mistake to change. It should have been possible to implement this feature within the last year as this issue is already old.

@fmarier you closed issue #20794 but still haven't replied here. What is your opinion on this topic as Security engineer at Brave?

@fmarier
Copy link
Member

fmarier commented May 9, 2022

What is your opinion on this topic as Security engineer at Brave?
It would be a great feature to have. It's not a quick one however because there are lots of technical implications and corner cases to not having the password manager be available at all times and there are important user experience considerations as well.

Until such a facility is available in Brave, we recommend that users wanting this functionality install a third-party password manager since most of them come with such a thing.

@B1773rm4n
Copy link

Hello @fmarier,

I'm worried there is a misunderstanding about the functionality of the master password in Firefox.
For me the primary concern is that the browser data is encrypted at rest. This is done in Firefox via the master password.
How does Brave provide encryption at rest for the userdata?

Furthermore I want to be able to only enable the Brave access via an password as additional security layer to the regular OS account login.

Your suggested third-party-password manager doesn't have anything to do with the stated use cases. Please clarify

@m77e4t
Copy link

m77e4t commented May 11, 2022

Your suggested third-party-password manager doesn't have anything to do with the stated use cases. Please clarify

Password managers also encrypt your passwords the same way firefox master password does.
I would say that it does a far better job than the firefox master password encryption.

Furthermore I want to be able to only enable the Brave access via an password as additional security layer to the regular OS account login.

Meaning you want something like applock. A password (PIN) needs to be inputed for the browser to open and function?
I too ask for this specific feature. A lot of applications specifically on android have an in-built PIN entry to open like banking apps, privacy-focused email clients.

Considering that brave deals with cryptocurrency via widgets directly (uphold, gemini, binance, ftx widget) it will be appropriate for the browser to have an app-lock functionality.
A lot of important data currently resides in any browser, but specifically brave browser as it deals with crytpocurrencies directly from it. As brave browser is a privacy-focused browser, it would be appropriate for it to have an app-lock.

I would suggest for others to use a paasword manager instead of brave browser password management currently due specific password manager benefits over brave one's, like encryption, random password generation, api check via haveibeenpwned, random username generation etc.

I ask (request) brave team to focus resources on this important feature compared to something other things like sidebar or UI change. Proper password management is an important feature from privacy/security side and brave should focus a lot more compared to above other things since it is a 'privacy browser'.

@B1773rm4n
Copy link

Password managers also encrypt your passwords the same way firefox master password does. I would say that it does a far better job than the firefox master password encryption.

I never intended just passwords. Browser collect plenty of information (cookies, storage, history, bookmarks, etc) which should be protected at rest. I want all of the information the browser collects safe from access. A password manager has nothing to do with that. I don't store my passwords in a browser at all.

@fmarier
Copy link
Member

fmarier commented May 11, 2022

How does Brave provide encryption at rest for the userdata?

That does depend on what you mean by "rest". It's a little bit like data is encrypted at rest on a hard drive. It's encrypted when the computer is off, but it's not encrypted when the computer is on and you're logged in and it's also typically not encrypted when the computer is suspended.

In the case of Brave, it's encrypted at rest when "rest" is defined as "you're not logged in". We use the OS keychain / keyring to automatically encrypt/decrypt passwords, cookies, etc. based on a key that is unlocked when you login.

If you want another layer of encryption, i.e. you want the browser to "rest" more often than that, then you need something else:

  1. Third-party password managers will typically lock (i.e. it's no longer decrypted in memory) the password database after a few minutes of inactivity, even when the browser is still running.
  2. Firefox will unlock the password manager, cookie store, etc. at browser startup if you configure a master password. Then it will keep it unlocked until you close the browser IIRC.

If you want #1 now, then you can use a password manager. If you want #2 now, then you'd need to put your browser profile directory on an encrypted drive. On Linux for example, you can use the cryptmount command. I'm sure there are equivalents on Mac and Windows.

Both #1 and #2 increase the amount of time that the browser is "resting" for the purpose of not having the data be decrypted. They are definitely both valuable and it would be great to have them integrated in Brave, but I can't give you a timeline for this since these are not quick fixes.

@m77e4t
Copy link

m77e4t commented May 14, 2022

I got confused for a bit. There are two cases here,
i.) Master Password for the in-built password manager and
ii.) Master Password for the entire brave browser.

I wrote about the Edge browser password management thinking the issue was for the First case, my fault, I should have read the issue properly.

So, two separate issues should be created, as these feature requests are quite different from one another.

@Egon099
Copy link

Egon099 commented Oct 26, 2022

Yeah
Would like profile to be encrypted and opening it would ask for the password. So even if someone else uses the computer they can't use my profile or see my data. Entire profile including bookmarks and hystory and so on.
Would be nice at work for example since several people use same computer.

@lazymonkey2
Copy link

@Egon099
yes.
In addition I'd like to copy the profile on a different computer, enter the password and be able to use it.
This way O could make a backup by simply copying the profile on a backup disk.

I believe that right now it's not completely possibile, at last on windows, because there are some parts of the profile tied to the windows installation.

@Egon099
Copy link

Egon099 commented Oct 26, 2022

@424344
It doesn't have to be actually entyre profile tecnically. Just the data like chase, bookmarks, cookies, hystory, etc.
Profile name and settings themselves don't specifically have to be encrypted i guess

@Malachiel87
Copy link

I feel brave on desktop manager need to have a master password for accessing to pass list (view/edit/delete) would be a great feature

@dspinhirne
Copy link

Based on some of the comments above, it seems as though the built-in pw manager in chrome/brave may never be a very workable solution. I like 3rd party solutions such as bitwarden, but dislike them integrated as a plugin. Maybe a better solution would be for brave to build a better pw manager as a native solution and outright ditch the current pw manager. Maybe something similar to the built-in crypto wallet. For me, this would mean 1 less browser plugin and 1 less app on my phone.

@tur11ng
Copy link

tur11ng commented Mar 19, 2023

Since the passwords are encrypted at rest, instead of using a random seed to derive the password why not combine the random seed with a user provided password in an opt-in feature and lock the password vault every X time?

@CyberKenneth
Copy link

CyberKenneth commented Mar 21, 2023

This needs to be standard in chrome and every browser. However, I see it as a way for Brave to lead the way. As a Cyber Sec. Engineer in training I keep my eyes on threats and we have a new type of Malware that steals passwords from browsers and gather passwords, credit cards, other autofill data, computer configuration and software info, 2FA data and backup codes, and a lot more and send it back as a compressed file.

One example of this is called Erbium and showed up July 2022. There is a response of someone here who was hacked by a version of this so it is relevant to the community.

Please search these terms " Erbium Stealer Malware Report Executive Summary " by Cyfirma only if you can’t find it then use the url below. Remember not to click links online; instead find the organization independently through trusted channels when possible. Though I think this is important enough that people need to know URL: https://www.cyfirma.com/outofband/erbium-stealer-malware-report/

@kasparpalgi
Copy link

+1 for master password

@alexbeewise
Copy link

+1 for master password!

@TheWitchySarz
Copy link

+1 for master password! Just like the IOS version of the app! :) Also implement it where on MacBook we can use touchID to enter it!

@Lab5-Switzerland
Copy link

Absolute must-have !
Doesn't have to be perfect for starters, since: Everything is better than nothing !

@vimfn
Copy link

vimfn commented Jul 5, 2023

Yea it will be a great addition.

@JiffB
Copy link

JiffB commented Aug 22, 2023

Hi, I agree with a general password AND internal encryption of user/password(s), which is only the most basic of security and privacy.

However seeing that the OP date backs to 2020-12-31 and that absolutely nothing has been done since, my contention is it is probably a 3 letters agency (gag or not) order… One thing is therefore absolutely sure, Brave is not developed with security and privacy of its users as first goals.

This is weird and worse, unprofessional, so I go back to Firefox, which is far from being perfect but at least doesn't take it's users for negligible quantity.

@symonxdd
Copy link

Yes, +1!

@sinanisler
Copy link

as long as this feature is not added will not use brave.

thanks for the amazing work team.

@AkechiShiro
Copy link

Any news on this feature ?

@sinanisler
Copy link

best Privacy Browser but there is no master password. 😉

@brookssw
Copy link

brookssw commented May 1, 2024

would love to see an update on this

@AkechiShiro
Copy link

Moved to firefox until this feature rolls out on Brave, I think this is very important.

@AkechiShiro
Copy link

AkechiShiro commented May 9, 2024

Maybe this issue should be pinned @Brave-Matt so it is clear that this aspect of security is not the priority at the moment but other features.

@vimfn
Copy link

vimfn commented Aug 3, 2024

Yea it will be a great addition.

I still think it'll be a great addition. By the way, for those commenting here, I recommend considering a password manager like Bitwarden (which can be self-hosted) or my current choice, pass. You can also explore other options that you think might be better. There are extensions and ways to make it as seamless as possible. This approach is far more secure than relying on a browser to manage your passwords.

EDIT: I'm not saying Brave shouldn't add this feature. In fact, most users will likely stick with the default option, so it's essential to make it as secure as possible.

@imgustavo
Copy link

I need this, please

@BostiSlak
Copy link

I would like this option

@elfoteo
Copy link

elfoteo commented Oct 15, 2024

I would like it

@cfrc
Copy link

cfrc commented Nov 9, 2024

Just came from Firefox 10 minutes ago, and will likely go back given the lack of this feature.

@bsclifton
Copy link
Member

bsclifton commented Dec 1, 2024

cc: @rebron for priority triage

@timchilds timchilds removed their assignment Dec 4, 2024
@timchilds timchilds removed the OS/Android Fixes related to Android browser functionality label Dec 4, 2024
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
Status: No status
Development

No branches or pull requests