plain txt passwords in .purple folder

Matthias Apitz guru at unixarea.de
Wed Sep 28 06:24:21 EDT 2011


El día Wednesday, September 28, 2011 a las 05:15:18AM -0500, Kevin Stange escribió:

> On 09/28/2011 05:02 AM, James Monroe wrote:
> > Just a heads up your program stored all my passwords (for pidgin) in
> > plain txt in a file in the .purple directory.
> 
> We are, of course, aware of this.  Please read:
> 
> http://developer.pidgin.im/wiki/PlainTextPasswords
> 
> > them for nefarious purposes. hash/md5 or something for the love of all
> > things
> > holy.
> 
> If we hash your username and password, we can only submit the hashes
> back to the server because hashes cannot be transformed back to original
> values.  This means:
> 
>  1) If the server accepts them, the hashes are still plain-text login info
>  2) You cannot login.
> 
> What purpose would that serve?

Hello Kevin,

Maybe we could use GPG to crypt and store the clear text pw and the user
needs a passphrase to unlock the storage, i.e. decrypt it with GPG
again.

Thanks

	matthias
-- 
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <guru at unixarea.de> - w http://www.unixarea.de/



More information about the Support mailing list