Chromium saved passwords are viewable from preferences without any authentication

Hey all!

I’ve been using Manjaro Cinnamon since the start of this year, after a while using macOS. I use Chromium across Linux, macOS and Windows, and I’ve only just realised something about the saved passwords visible at chrome://settings/passwords. On macOS and Windows, clicking the :eye: next to a saved password for the first time in a session requires me to enter my macOS Keychain password, or on Windows, my PIN or fingerprint. On Linux, it just shows the password immediately.

I believe that Chromium is using gnome-keyring, because if I open seahorse (or ‘Passwords and Keys’), there’s an entry in the ‘Login’ keyring for ‘Chromium Safe Storage’.

My questions are:

  1. Is this the normal behaviour, i.e. everyone who uses Chromium on Linux has the saved passwords visible to anyone who uses the computer while it’s logged in, without requiring any password (unless you use a separate app like KeePass or something)?
  2. Is there a way to set up the macOS/Windows behaviour on Linux? The current behaviour feels slightly insecure, e.g. if I’m at the library and somehow forget to lock the screen if I get up for a minute.

I searched a bit to see if anyone’s had this ‘issue’ (although I realise not everyone cares about this behaviour) but I could only find people complaining that Chromium asks for their keyring password all the time, which is a problem I haven’t had.

That is normal - if you provided a blank password when the keyring was created.

But mostly the login keystore is unlocked when you log into your system and is thus open for the current user. This is a convenience.

But if you want to lock it you can use the package seahorse and then lock you login keystore.

Thanks! I think I understand. However, if I set a password for the login keystore, I am prompted for it when I open Chromium, and if I provide it, the passwords are then visible until I quit Chromium. I generally open a Chromium instance at startup and have it running all day, so what I would prefer is if the keystore was locked until I try to view a saved password, when it then asks for a password - this would be more secure if someone borrows the computer for a minute, and would match the behaviour of the Chromium saved passwords preferences page on macOS and Windows. Is it possible to configure this behaviour on Linux?