RE: [Solved] Phone security: passwords are still shown after session is removed

@leocg
I believe the only misunderstanding was to use Opera password sync as a safe Password Manager instead as the use case you explained.

Thank you for the answer and explanations.

@leocg

Thanks for the answer.

With this approach there's no way to prevent all passwords to be leaked if OS credentials are compromised or if someone forgot to log off 'Opera sync' from a public device.

I believe that a more secure approach would be to clear passwords (history, tabs, etc) when session is revoked.

Hope that we'll see this security improvement in the future.

@leocg Yes the password for Operating System user is in place. For the record I'm using Opera on Ubuntu.

Chrome on Ubuntu also doesn't require OS password to read stored passwords.

When using Opera for Linux, I can easily check saved passwords without an extra security request.

On other operating systems, before showing the password this happens:

• Windows: windows user password requested
• Phone: fingerprint or screenlock PIN

I would suggest to request user password (as it happens in Windows) to prevent a malicious peek of saved data if the computer is left unlocked.

Dear Opera team,

I had an event where someone shared the phone lockscreen PIN to phone technician.

I've suggested to logout to all active Opera session in order to prevent any malicious "peek" to saved passwords of Opera.

This is possible via:
auth.opera.com/account/edit-profile -> Manage your logged Opera account sessions

Even if removing all sessions worked, when the phone returned from repair, you could still check synchronized password by using the PIN. The only thing that changed was a message: "Sync is paused"

I would suggest, for security reasons, that once a session is removed everything that synchronized between devices is hidden. This is to prevent such cases where phone PIN is compromised.