plain txt passwords in .purple folder
David Woolley
forums at david-woolley.me.uk
Wed Sep 28 06:18:23 EDT 2011
James Monroe wrote:
> Just a heads up your program stored all my passwords (for pidgin) in
> plain txt in a file in the .purple directory.
The developers believe that anything else would give a false sense of
security. http://developer.pidgin.im/wiki/PlainTextPasswords
> Needless to say I uninstalled and will never use again. Please fix this
> for the thousands of other people who don't know to check.
> Lines like ( user name: "actual user name")
> ( user password: " actual password!!")
> should not be appearing in professional programs unless your writing
> them for nefarious purposes. hash/md5 or something for the love of all
> things
Hashing the passwords would make them unusable. Any saved password
needs to be convertable to a form that is a valid credential for the
target service. A one way function would make it unusable for that.
Reversible encryption by an open source program would be trivial
breakable, unless you insisted on a master key that had to be entered
every time the program was started.
--
David Woolley
Emails are not formal business letters, whatever businesses may want.
RFC1855 says there should be an address here, but, in a world of spam,
that is no longer good advice, as archive address hiding may not work.
More information about the Support
mailing list