How to save passwords more secure?!

Jeff Sadowski jeff.sadowski at gmail.com
Sun Jun 22 10:10:29 EDT 2008


On Sun, Jun 22, 2008 at 4:14 AM, Bron Gondwana <brong at fastmail.fm> wrote:
> On Sat, Jun 21, 2008 at 11:18:29PM -0600, Jeff Sadowski wrote:
>> A kludge that would be the easiest to implement would be to have
>> ~/.purple be a cryptomouted directory that is mounted before pidgin is
>> started. It is easy to implement with scripts. and after you are
>> logged in it can be unmounted.
>
> This is no help against a hypothetical virus that reads your
> accounts.xml file in real time - since you're likely to have
> pidgin running most of the time you're logged in.
>
If you had said virus what would be preventing it from reading memory space?
Because of how the protocols are pidgin or any chat client for that
matter must send the password character by character thus it will be
in memory at some point.
Also what would stop said virus from key logging?
> A "real" security solution here would either be to farm
> responsibility out to the desktop environment's password
> manager utility, or to have a "master password" which
> pidgin uses at startup to decrypt the passwords from
> disk - after which it stores them in memory which is
> protected from other processes and protected from being
> paged out.
>
> The "desktop environment password utility" solution is
> actually quite viable, but ideally would start with the
> desktop environments agreeing on a standard interface/API
> for talking to password managers, rather than having to
> code up separate support for each one.
>
> Bron
>




More information about the Devel mailing list