Do more on the web, with a fast and secure browser!

Download Opera browser with:

  • built-in ad blocker
  • battery saver
  • free VPN
Download Opera

[Solved] Phone security: passwords are still shown after session is removed

  • Dear Opera team,

    I had an event where someone shared the phone lockscreen PIN to phone technician.

    I've suggested to logout to all active Opera session in order to prevent any malicious "peek" to saved passwords of Opera.

    This is possible via:
    auth.opera.com/account/edit-profile -> Manage your logged Opera account sessions

    Even if removing all sessions worked, when the phone returned from repair, you could still check synchronized password by using the PIN. The only thing that changed was a message: "Sync is paused"

    I would suggest, for security reasons, that once a session is removed everything that synchronized between devices is hidden. This is to prevent such cases where phone PIN is compromised.

  • @dario3004 Passwords are stored locally, encrypted using your OS login credentials and have nothing to do with the fact that you are logged in to your Opera account or not.

  • @leocg

    Thanks for the answer.

    With this approach there's no way to prevent all passwords to be leaked if OS credentials are compromised or if someone forgot to log off 'Opera sync' from a public device.

    I believe that a more secure approach would be to clear passwords (history, tabs, etc) when session is revoked.

    Hope that we'll see this security improvement in the future.

  • @dario3004 It seems that you are misunderstanding what synchronization is (for).

    Synchronization is not for you to temporarily access your data, but to allow you to have the same data on all your Opera installations in your computers.
    You should never login to your Opera account, to any account, in a device that is not yours. If it's absolutely necessary, do it in private window /mode, make sure that password is being saved, change the password as soon as you access your own computer. And have 2FA enabled in all possible services.

  • @leocg
    I believe the only misunderstanding was to use Opera password sync as a safe Password Manager instead as the use case you explained.

    Thank you for the answer and explanations.