Password encryption

Luke Schierer lschiere at pidgin.im
Mon Mar 17 12:27:28 EDT 2008


David Balazic wrote:
> Hi!
> 
> No, there is a misunderstanding. I talked about 2 (more or
> less separate) things:
> 
>  - protecting the stored passwords
> 
> The simplest way for this is enabling the Encryption in Windows
> on the .purple directory. This is as good as it gets. The only
> more secure way is not to store the passwords on the PC.
> 

If done right, yes, disk (or folder) encryption is secure and works. I 
have not (until now) addressed that portion of your remarks.

>  - preventing passwords appearing text editors
> 
> This is the secret key stuff I wrote about. Because the key is
> in a separate file, the data from an editor having the
> accounts.xml open is useless to an attacker (that is attackers
> having a view on the users monitor).
> The purpose of this would be not to protect the stored password data
> from (all) attacks, but to prevent them being showed on the computers
> display in plain text/sight. Nothing more.
> 
> Regards,
> David
> 
> PS: I not saying this should be implemented in next or any version
> of pidgin. Just that it would prevent one of the few left over
> attack vectors in case config direcotry encyption is used.
> 

Right, but while this would close off one really rather minor attack 
vector, it would increase the user's vulnerability to all other (more 
real) attack vectors, because the user would be lulled into a false 
feeling of security.

While some portion of users would avoid that false feeling of security, 
experience working with the pidgin user base leads me to believe that 
these users are precisely the ones most likely to know that purple 
clients store plain text passwords today, and to have already come up 
with what they consider a reasonable compromise between security and 
ease of use to cover the situation.

Thus the security of the user not already handling the situation has a 
net reduction.  For that reason, we have rejected obscuring the password 
in favor of waiting and leaving the status quo until something truly 
secure against a higher percentage of attacks emerges.

Again, I'm not arguing that disk encryption is or is not a reasonable 
way to handle sensitive data.  I'm addressing only the generated key 
portion of your remarks.

The reality is that if we obscured the password as you suggest, the 
corporate user who started this thread would think purple clients secure 
for the environment he envisions using pidgin in, when it is in fact not.

luke

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 249 bytes
Desc: OpenPGP digital signature
URL: <http://pidgin.im/pipermail/support/attachments/20080317/0451c591/attachment.sig>


More information about the Support mailing list