plain txt passwords in .purple folder

David Woolley forums at david-woolley.me.uk
Wed Sep 28 06:18:23 EDT 2011


James Monroe wrote:
> Just a heads up your program stored all my passwords (for pidgin) in 
> plain txt in a file in the .purple directory.

The developers believe that anything else would give a false sense of 
security.  http://developer.pidgin.im/wiki/PlainTextPasswords

> Needless to say I uninstalled and will never use again. Please fix this 
> for the thousands of other people who don't know to check.
> Lines like ( user name: "actual user name")
>                 ( user password: " actual password!!")
> should not be appearing in professional programs unless your writing 
> them for nefarious purposes. hash/md5 or something for the love of all 
> things

Hashing the passwords would make them unusable.  Any saved password 
needs to be convertable to a form that is a valid credential for the 
target service.  A one way function would make it unusable for that. 
Reversible encryption by an open source program would be trivial 
breakable, unless you insisted on a master key that had to be entered 
every time the program was started.




-- 
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.



More information about the Support mailing list