Opened 12 years ago

Closed 12 years ago

Last modified 3 years ago

#803 closed defect (wontfix)

password stored as plain text

Reported by: cobra582 Owned by:
Milestone: Component: libpurple
Version: 2.0 Keywords: unencrypted password
Cc:

Description

i can only attest for the windows version of pidgin but in the ...Application Data\.purple\accounts.xml file all the passwords for all the accounts are stored as unencrypted strings.

can i suggest encrypting this in some way. or can you please provide a reason why its not encrypted.

but good work guys this app rocks!

Change History (5)

comment:1 Changed 12 years ago by lschiere

  • Resolution set to wontfix
  • Status changed from new to closed

comment:2 Changed 12 years ago by lithium

I disagree that not storing the passwords at all is "by far the most secure of all of the options". This only leads to two thinks:

a) users picking short and/or dictionary based passwords (or even: one default pass for everytghing)

b) users have to type in a few passwords (perhaps) right in front of others every day

I think this is very bad and I would really hope you would use something like the gnome-keyring to store/access the passwords.

comment:3 Changed 12 years ago by lschiere

1)gnome-keyring requires gnome, which Pidgin does not and will not.

2)gnome-keyring does not change anything. I'm not sure exactly how it works, but it is either a case of keeping all your passwords unecrypted in memory after you authenticate against it once, in which case anyone with access to read your .purple/accounts.xml can also get to its memory with a debugger and get your passwords, or it is a case of hiding a password behind a password, in which case your statement about having to type a password every day in front of others still applies.

comment:4 Changed 12 years ago by phroggie

See also, #673.

comment:5 Changed 3 years ago by Robby

Ticket #16800 has been marked as a duplicate of this ticket.

Note: See TracTickets for help on using tickets.
All information, including names and email addresses, entered onto this website or sent to mailing lists affiliated with this website will be public. Do not post confidential information, especially passwords!