Accounts.xml stores passwords in plain text.

Evan Schoenberg evands at pidgin.im
Mon Dec 17 20:59:56 EST 2007


On Dec 17, 2007, at 7:57 PM, Daniel Atallah wrote:

> On Dec 17, 2007 6:37 PM, Andreas Monitzer <pidgin at monitzer.com> wrote:
> On Dec 17, 2007, at 20:43, Daniel Atallah wrote:
>
> > This isn't entirely true. I'm not aware of any major services that
> > send plaintext or plaintext equivalent passwords over the wire.
>
> Then you're not aware of ICQ.
>
> I guess I wasn't aware that we had fallen back to the old ICQ auth.

*nod* For those following from home without knowledge of the oscar  
prpl, ICQ has an old authentication method which is a simple XOR of  
the password (plain text equivalent) and a new authentication method  
which is based on a more secure MD5 algorithm.

Mark, do you know why we switched back to XOR (or why the MD5  
algorithm was written out but not used, if it never was)?  The  
reasoning is buried in pre-monotone logs somewhere before the files  
were split up to improve readability, which occurred in:
|   Revision: 3c3bc6908223470012ddf0a9adafef145037b96b
|   Date: 2006-02-11T21:45:18

(so it's been that way since at least 2/2006)

-Evan
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://pidgin.im/pipermail/devel/attachments/20071217/fe830417/attachment.html>


More information about the Devel mailing list