plain txt passwords in .purple folder
Matthias Apitz
guru at unixarea.de
Wed Sep 28 06:24:21 EDT 2011
El día Wednesday, September 28, 2011 a las 05:15:18AM -0500, Kevin Stange escribió:
> On 09/28/2011 05:02 AM, James Monroe wrote:
> > Just a heads up your program stored all my passwords (for pidgin) in
> > plain txt in a file in the .purple directory.
>
> We are, of course, aware of this. Please read:
>
> http://developer.pidgin.im/wiki/PlainTextPasswords
>
> > them for nefarious purposes. hash/md5 or something for the love of all
> > things
> > holy.
>
> If we hash your username and password, we can only submit the hashes
> back to the server because hashes cannot be transformed back to original
> values. This means:
>
> 1) If the server accepts them, the hashes are still plain-text login info
> 2) You cannot login.
>
> What purpose would that serve?
Hello Kevin,
Maybe we could use GPG to crypt and store the clear text pw and the user
needs a passphrase to unlock the storage, i.e. decrypt it with GPG
again.
Thanks
matthias
--
Matthias Apitz
t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211
e <guru at unixarea.de> - w http://www.unixarea.de/
More information about the Support
mailing list