(In reply to Fabian Vogt from comment #5) > > pam_kwallet is a huge step ahead in safety and usability. For example everyone using openSUSE on a notebook will probably store the wifi passwords safely in kwallet. But entering the user password twice on login is just senseless. > (actually KWallet might not just be used for wifi, but for a lot more like > ssh passphrases) > > That's the usability aspect, but not the safety one. Actually alternatively people may store passwords in plaintext. And so it becomes an security aspect. > > And I suggest to simply default to blowfish. At least that's what the native KDE distro "Neon" does. https://neon.kde.org > > The distro which installed and enabled pam_kwallet by default before looking > at the code, which was so bad it allowed everyone to become root? Not a > great example... Point taken. > > Configuring GPG is also little more work and maybe not something every KDE user wants to do. So by default there should be simply a KWallet being created with blowfish and made accessible via pam_kwallet. I think that's by far the best choice for inceasing security and usability. > > I agree that making blowfish the default option is worth considering, but > not hiding the choice altogether. This choice needs to be made upstream by > KWallet devs though, not here in openSUSE. Just created a ticket: https://bugs.kde.org/show_bug.cgi?id=413314 > pam_kwallet should not be installed by default, as using it means that the > wallet has to be unlocked permanently after login, exposing all contents > over DBus, even after locking the screen, suspend, etc. That's a point. But the resulting user experience - especially regarding using encrypted wifi's - is really bad. Any other ideas how to solve this!?