From 3be07423a3854cc993dc2a5fd76df375ab319a45 Mon Sep 17 00:00:00 2001
From: tilpner
Date: Sun, 5 Apr 2020 21:36:04 +0200
Subject: noPasswords: init

---
 profiles/noPasswords.nix | 27 +++++++++++++++++++++++++++
 1 file changed, 27 insertions(+)
 create mode 100644 profiles/noPasswords.nix

diff --git a/profiles/noPasswords.nix b/profiles/noPasswords.nix
new file mode 100644
index 0000000..9adceb7
--- /dev/null
+++ b/profiles/noPasswords.nix
@@ -0,0 +1,27 @@
+{ }: {
+  meta.description = ''
+    Prevent the user from storing any passwords in the browser.
+    This can be justified if the physical security of the device is uncertain, or
+    if the provider wants to avoid the responsiblity of storing such sensitive data.
+
+    However, the users alternatives must be considered: what will a user do without the
+    password manager?
+
+    Possible "alternatives" (from user perspective) include:
+      - Choose much weaker passwords
+      - Store the passwords in an unencrypted form (e.g. on the desktop)
+  '';
+
+  policies = {
+    # TODO: how exactly are passwords stored?
+    OfferToSaveLogins = false;
+    PasswordManagerEnabled = false;
+  };
+
+  preferences = {
+    # Ask for password every 15 minutes
+    security.ask_for_password = 2;
+    security.password_lifetime = 15; # minutes
+    signon.masterPasswordReprompt.timeout_ms = 15 * 60 * 1000;
+  };
+}
-- 
cgit v1.2.3