Security – Ubuntu Stores You Wi-Fi Password in Clear Text

Last updated: December 27, 2013

Wifi Security problem in Ubuntu

A user has pointed out on the mailing list that the Wi-Fi passwords in Ubuntu are not encrypted because they are stored in a folder outside of Home, which can be encrypted during the installation of the operating system.

I recently stumbled over the fact, that NetworkManager by default stores Wifi profiles *including clear text passwords* under ‘/etc/NetworkManager/system-connections/’.

I think that is not what one expects when he/she turns on home folder encryption and should because of that be corrected somehow.

If you’re using the default Wi-Fi settings in Ubuntu Linux, open Nautilus file browser with root (Press Alt+F2 -> type gksudo nautilus, hit enter). Then you’ll see list of available Wi-Fi connections under Computer -> etc -> NetworkManager -> system-connections

The password is shown as clear text in your Wi-Fi connection file.

A Ubuntu developer has explained that this issue is caused by the fact that the option “All users may connect to this network” is enabled by default. Which means, untick “All users may connect to this network.” under network indicator -> Edit connections -> Select network -> Click edit -> General tab will fix this issue.

softpedia

Twitter

I'm a freelance blogger who started using Ubuntu in 2007 and wishes to share my experiences and some useful tips with Ubuntu beginners and lovers. Please comment to let me know if the tutorial is outdated! And, notify me if you find any typo/grammar/language mistakes. English is not my native language. Contact me via ubuntuhandbook1@gmail.com Buy me a coffee: https://ko-fi.com/ubuntuhandbook1 |

4 responses to Security – Ubuntu Stores You Wi-Fi Password in Clear Text

  1. Is that really an issue? Not in my opinion. If you need root access to read this file, it is secure enough, to me. One can see all the wifi password stored on the computer in the network setting without even root access. I don’t see the fuss about it not being encrypted.
    Its similar to what I read few months back when some ‘researcher’ pointed out that saves password in Chrome can be accessed by anyone and every tech and security blog went crazy as if it was the Eureka moment. I mean, an average user always knew about it, right?

    • Not exactly actually: the goal is the same as for the home folder encryption. “One can see all the wifi password stored on the computer in the network setting without even root access” –> you shouldn’t consider that the session is already opened, but that somebody has access to your computer when it is switched off for instance. Then he can boot it on a USB stick and look at all your unencrypted files without previously knowing any of your passwords. This can actually be done in less than a minute and does not require much knowledge, so I wouldn’t say that it is not an issue.
      I do agree it is not big news that Chrome does not encrypt passwords; there is absolutely no way to do it securely without asking the user for another unlocking password at each launch – and you don’t want to do that since users are lazy :-). However, if I am not mistaken, Chrome stores your passwords in the home directory by default in Ubuntu, meaning that they are actually encrypted in this case if you activated the home encryption.
      I hope this helps.

  2. > Which means, untick “All users may connect to this network.” under network indicator -> Edit connections -> Select network -> Click edit -> General tab will fix this issue.

    I concluded the same but could not verify it (Ubuntu 14.04). Did it work for you?

    • Same for me actually, the box is unticked but the password is still in /etc/…
      I guess that may be reported as a bug, if not already done.