Pidgin

Ticket #5802 (new defect)

Opened 2 years ago

Last modified 2 years ago

Change password feature works incorrect for ICQ (and maybe other) account. It is not test whether the original password is correct.

Reported by: vkhandus Owned by: MarkDoliner
Milestone: Component: ICQ
Version: 2.4.1 Keywords: password
Cc:

Description

Procedure/Details: 1. Account->(select existing ICQ account)->change password 2. In Original password field type what you want (not the real password) 3. Type and confirm new password 4. Press OK button

Result: Password changed

Expected result: Password didn't change.

Change History

Changed 2 years ago by MarkDoliner

I think ICQ doesn't need the original password when you change your password. So there are two things we could do to fix this, which one do people prefer?

1. Remove the "Original password" field from the dialog when it isn't needed.

2. Always verify that the "Original password" field is correct, even when this isn't required by the protocol. This might be a tad bit more secure, in the case where you sign into Pidgin, wander away from your computer, and a malicious user comes along and changes your password unbeknowest to you.

Changed 2 years ago by vkhandus

1. As I can see for XMPP protocol (my google talk account) "Original password" field is missing. 2. But I think second variant is much secure and logical. Changing password is like administrative operation - you must have all rights to do that, so you have to know password. Another IM clients seems follow this rule.

Changed 2 years ago by deryni

Until and unless the SoC project for the master password support becomes usable requiring a pidgin level current password comparison adds no useful security to this transaction, if the person is at your machine long enough to pull up the dialog and fill it in they are at your machine long enough to look the current password up in the accounts.xml file (unless you aren't saving passwords at all, but even then I'm not sure this buys us much).

Changed 2 years ago by MarkDoliner

Comparing the two passwords DOES help a little bit: It takes a little longer to open accounts.xml than to just open the dialog and type in a new password. Also, not everyone is aware that passwords are stored in accounts.xml so we would be thwarting at least a few casual idiots. And yeah, if the password isn't stored at all then it buys us a lot more.

No, it's not 100% perfect, but it does make a difference.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!