Seahorse passwords are still decrypted when screen is locked
Submitted by Konstantin Weitz
Link to original bug (#686127)
Description
From my understanding, a user's keyring is encrypted with this user's unix account password. Whenever a user logs in, his keyring is decrypted using the password entered on login.
A normal user would expect that locking his screen protects his passwords, i.e. that his decrypted password are deleted. The passwords can then easily be decrypted again with the password needed to unlock the screen.
Unfortunately, this is not the case. When the screen is locked, the decrypted passwords are not deleted. This makes the system vulnerable to bugs in the lock screen, such as http://lwn.net/Articles/477062/.
The fact that the decrypted passwords are not deleted can easily be seen, by simply enabling X's Grab Break key combination and killing the lock screen. All passwords are still accessible.
Version: 3.4.x