noPasswords: init

1 files changed, 27 insertions, 0 deletions

diff --git a/profiles/noPasswords.nix b/profiles/noPasswords.nix
new file mode 100644
index 0000000..9adceb7
--- /dev/null
+++ b/profiles/noPasswords.nix
@@ -0,0 +1,27 @@
+{ }: {
+  meta.description = ''
+    Prevent the user from storing any passwords in the browser.
+    This can be justified if the physical security of the device is uncertain, or
+    if the provider wants to avoid the responsiblity of storing such sensitive data.
+
+    However, the users alternatives must be considered: what will a user do without the
+    password manager?
+
+    Possible "alternatives" (from user perspective) include:
+      - Choose much weaker passwords
+      - Store the passwords in an unencrypted form (e.g. on the desktop)
+  '';
+
+  policies = {
+    # TODO: how exactly are passwords stored?
+    OfferToSaveLogins = false;
+    PasswordManagerEnabled = false;
+  };
+
+  preferences = {
+    # Ask for password every 15 minutes
+    security.ask_for_password = 2;
+    security.password_lifetime = 15; # minutes
+    signon.masterPasswordReprompt.timeout_ms = 15 * 60 * 1000;
+  };
+}