plain txt passwords in .purple folder

Kevin Stange kstange at pidgin.im
Wed Sep 28 06:15:18 EDT 2011


On 09/28/2011 05:02 AM, James Monroe wrote:
> Just a heads up your program stored all my passwords (for pidgin) in
> plain txt in a file in the .purple directory.

We are, of course, aware of this.  Please read:

http://developer.pidgin.im/wiki/PlainTextPasswords

> them for nefarious purposes. hash/md5 or something for the love of all
> things
> holy.

If we hash your username and password, we can only submit the hashes
back to the server because hashes cannot be transformed back to original
values.  This means:

 1) If the server accepts them, the hashes are still plain-text login info
 2) You cannot login.

What purpose would that serve?

Kevin

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 262 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20110928/838bce62/attachment.pgp>


More information about the Support mailing list