Accounts.xml stores passwords in plain text.

Mark Doliner mark at
Mon Dec 17 23:08:10 EST 2007

On Mon, 17 Dec 2007 20:59:56 -0500, Evan Schoenberg wrote
> On Dec 17, 2007, at 7:57 PM, Daniel Atallah wrote:
> > On Dec 17, 2007 6:37 PM, Andreas Monitzer <pidgin at> wrote:
> > On Dec 17, 2007, at 20:43, Daniel Atallah wrote:
> >
> > > This isn't entirely true. I'm not aware of any major services that
> > > send plaintext or plaintext equivalent passwords over the wire.
> >
> > Then you're not aware of ICQ.
> >
> > I guess I wasn't aware that we had fallen back to the old ICQ auth.
> *nod* For those following from home without knowledge of the oscar  
> prpl, ICQ has an old authentication method which is a simple XOR of  
> the password (plain text equivalent) and a new authentication method 
>  which is based on a more secure MD5 algorithm.
> Mark, do you know why we switched back to XOR (or why the MD5  
> algorithm was written out but not used, if it never was)?  The  
> reasoning is buried in pre-monotone logs somewhere before the files  
> were split up to improve readability, which occurred in:
> |   Revision: 3c3bc6908223470012ddf0a9adafef145037b96b
> |   Date: 2006-02-11T21:45:18
> (so it's been that way since at least 2/2006)

I think we made a few releases where ICQ was using the same MD5 algorithm used
by AIM, and it worked for maybe 99% of the people.  But it failed for the
remainder of the people, while the older XOR method worked.  So we switched
back.  We could try it again if people want.


More information about the Devel mailing list