master password gsoc project
rlaager at wiktel.com
Wed May 21 18:55:16 EDT 2008
On Wed, 2008-05-21 at 23:50 +0200, Vivien Bernet-Rollande wrote:
> - From this, it seems the "secret" or optional entropy is pretty much
> any kind of data + the size, and it would be possible to use it for a
> password. There are some drawbacks to that implementation, but it
> seems feasible. This also means we have a total control on the prompt
> window's design.
Yes, it may work.
> This would indeed make sense, having a cross-platform plugin.
> I've seen that there's a whole cipher infrastructure in libpurple, so
> such a plugin could probably make use of that code. Haven't checked
> what algorithms are available though.
Yeah, we could do it there, or via our SSL plugins. It's not a huge
> Also, it seems to me it would be a better thing to store the protected
> data in another file, unlike the patch, which modifies the structure
> of the accounts.xml file.
Why? That seems like the perfect place for it.
> The way I see it is the following : by default, the plugin works in a
> totally transparent way. The user never gets prompted anything,
> password are secured with his system password, simple, clean and easy.
> But from the configuration interface, the user could set a master
> password, adding an extra layer of security (in case the system
> account is shared by multiple users for instance).
Then they should use multiple OS users instead.
> Second, some users might like an extra layer of
> protection, since having a pidgin-specific password makes it harder
> for other applications.
If you're running untrusted applications, there's not really much we can
do to protect against that.
-------------- next part --------------
A non-text attachment was scrubbed...
Size: 189 bytes
Desc: This is a digitally signed message part
More information about the Devel