Accounts.xml stores passwords in plain text.
Mark Doliner
mark at kingant.net
Mon Dec 17 23:08:10 EST 2007
On Mon, 17 Dec 2007 20:59:56 -0500, Evan Schoenberg wrote
> On Dec 17, 2007, at 7:57 PM, Daniel Atallah wrote:
>
> > On Dec 17, 2007 6:37 PM, Andreas Monitzer <pidgin at monitzer.com> wrote:
> > On Dec 17, 2007, at 20:43, Daniel Atallah wrote:
> >
> > > This isn't entirely true. I'm not aware of any major services that
> > > send plaintext or plaintext equivalent passwords over the wire.
> >
> > Then you're not aware of ICQ.
> >
> > I guess I wasn't aware that we had fallen back to the old ICQ auth.
>
> *nod* For those following from home without knowledge of the oscar
> prpl, ICQ has an old authentication method which is a simple XOR of
> the password (plain text equivalent) and a new authentication method
> which is based on a more secure MD5 algorithm.
>
> Mark, do you know why we switched back to XOR (or why the MD5
> algorithm was written out but not used, if it never was)? The
> reasoning is buried in pre-monotone logs somewhere before the files
> were split up to improve readability, which occurred in:
> | Revision: 3c3bc6908223470012ddf0a9adafef145037b96b
> | Date: 2006-02-11T21:45:18
>
> (so it's been that way since at least 2/2006)
I think we made a few releases where ICQ was using the same MD5 algorithm used
by AIM, and it worked for maybe 99% of the people. But it failed for the
remainder of the people, while the older XOR method worked. So we switched
back. We could try it again if people want.
-Mark
More information about the Devel
mailing list