plain txt passwords in .purple folder

David Woolley forums at
Wed Sep 28 06:18:23 EDT 2011

James Monroe wrote:
> Just a heads up your program stored all my passwords (for pidgin) in 
> plain txt in a file in the .purple directory.

The developers believe that anything else would give a false sense of 

> Needless to say I uninstalled and will never use again. Please fix this 
> for the thousands of other people who don't know to check.
> Lines like ( user name: "actual user name")
>                 ( user password: " actual password!!")
> should not be appearing in professional programs unless your writing 
> them for nefarious purposes. hash/md5 or something for the love of all 
> things

Hashing the passwords would make them unusable.  Any saved password 
needs to be convertable to a form that is a valid credential for the 
target service.  A one way function would make it unusable for that. 
Reversible encryption by an open source program would be trivial 
breakable, unless you insisted on a master key that had to be entered 
every time the program was started.

David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.

More information about the Support mailing list