Opened 3 years ago

Closed 3 years ago

Last modified 3 years ago

#16800 closed defect (duplicate)

Passwords not protected

Reported by: liar666 Owned by: EionRobb
Milestone: Component: unclassified
Version: 2.10.11 Keywords: Plaintext Passwords
Cc:

Description (last modified by liar666)

Using LaZagne?, I discovered that Pidgin stores passwords in plain-text.

Looking for a solution to this serious problem, I found the page: https://developer.pidgin.im/wiki/PlainTextPasswords

There, I read:

  • "Instant messaging is not very secure, and it's kind of pointless to spend a lot of time adding protections onto the fairly strong file protections of UNIX (our native platform) when the protocols themselves aren't all that secure. The way to truly know who you are talking to is to use an encryption plugin on both ends (such as OTR or pidgin-encryption), and use verified GPG keys. Secondly, you shouldn't be using your instant messaging password for anything else."

This argument is totally fallacious: nowadays, most of the IM accounts are related to more general accounts, like Google(+)/Yahoo/MSN-Skype/... So leaving accounts passwords exposed in plain text exposes a lot more information (personal & professional emails, web search history, localization data, applications install on mobile devices, etc.) than what the not-protected IM messaging protocols expose (a few stupid short messages between acquaintances that are often not even friends IRL)!!!

  • "none of these IM applications provide any sort of real password security <big list of other IM software>"

This argument it also totally fallacious: this is not because there are plenty of others that do bad things, that we must do the same!!!!! Otherwise our societies would just be a bunch of people killing other people.

  • Finally, "Store a password(s) behind a password"

there is no argument against this. This is what other software do in similar situations (Firefox, Thunderbird, etc.) and is what I would like to see implemented.

By the way, I think you would agree with the following page about the trojan running a keylogger: https://forum.filezilla-project.org/viewtopic.php?t=32286 But you would be wrong: in computer, there is no 100% security. The purpose of computer security is not to guarantee your personal data will never be accessed (this is impossible) but to make any intrusion as difficult as possible. Considering this, writing a trojan that runs a keylogger requires a lot more skills than script kidding a forged email/macro/pdf-file/whatever-you-want that reads a plain text file (at least on Unices)!

Change History (3)

comment:1 Changed 3 years ago by liar666

  • Description modified (diff)

comment:2 Changed 3 years ago by mmcco

Build Pidgin 3.0 from source or wait for it to be released.

comment:3 Changed 3 years ago by Robby

  • Resolution set to duplicate
  • Status changed from new to closed

Closed as duplicate of #803.


Pidgin 3.0 includes #673.

Last edited 3 years ago by Robby (previous) (diff)
Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!