Password encryption
David Balazic
David.Balazic at hermes-softlab.com
Mon Mar 17 11:41:44 EDT 2008
Yes, but hiding it still has a purpose.
Imagine this:
- you open the config file in editor (for whatever purpose)
- someone walks by and sees your stored password
A good and simple way to avoid this is:
- pidgin creates a secret key and stores it by itself into a file
- all stored passwords are encrypted in the config file(s) with this
key
This prevents the above scenario.
And works.
Regards,
David
> -----Original Message-----
> From: Etan Reisner [mailto:deryni at pidgin.im]
> Sent: Monday, March 17, 2008 4:25 PM
> To: Venkatasamy,Venkat
> Cc: Peter Robev; David Balazic; support at pidgin.im
> Subject: Re: Password encryption
>
> On Mon, Mar 17, 2008 at 07:57:14AM -0400, Venkatasamy,Venkat wrote:
> <snip>
> > i would like to hash the password so it should not be
> visible even to
> > the user who stores the password.
>
> Hashing the password doesn't make it not visible to people,
> it just makes
> the hash visible instead of the plaintext version, but the
> hashed version
> is good enough to log in to the account anyway. You would just need to
> stick it into your own copy of pidgin's accounts.xml file on
> your local
> machine and click Enable. Similarly, it is trivial to modify pidgin to
> print out the unhashed version of the password instead of
> using it (or to
> rip out the unhashing code from pidgin and run it yourself).
>
> -Etan
>
More information about the Support
mailing list