Password encryption

David Balazic David.Balazic at hermes-softlab.com
Mon Mar 17 11:41:44 EDT 2008


Yes, but hiding it still has a purpose.

Imagine this:
 - you open the config file in editor (for whatever purpose)
 - someone walks by and sees your stored password

A good and simple way to avoid this is:
 - pidgin creates a secret key and stores it by itself into a file
 - all stored passwords are encrypted in the config file(s) with this
key

This prevents the above scenario.
And works.

Regards,
David


> -----Original Message-----
> From: Etan Reisner [mailto:deryni at pidgin.im] 
> Sent: Monday, March 17, 2008 4:25 PM
> To: Venkatasamy,Venkat
> Cc: Peter Robev; David Balazic; support at pidgin.im
> Subject: Re: Password encryption
> 
> On Mon, Mar 17, 2008 at 07:57:14AM -0400, Venkatasamy,Venkat wrote:
> <snip>
> > i would like to hash the password so it should not be 
> visible even to
> > the user who stores the password.
> 
> Hashing the password doesn't make it not visible to people, 
> it just makes
> the hash visible instead of the plaintext version, but the 
> hashed version
> is good enough to log in to the account anyway. You would just need to
> stick it into your own copy of pidgin's accounts.xml file on 
> your local
> machine and click Enable. Similarly, it is trivial to modify pidgin to
> print out the unhashed version of the password instead of 
> using it (or to
> rip out the unhashing code from pidgin and run it yourself).
> 
>     -Etan
> 




More information about the Support mailing list