[Pidgin] #13799: In need of a solution for the problem with Pidgin storing password in cleartext

Pidgin trac at pidgin.im
Thu Apr 21 07:53:38 EDT 2011 

#13799: In need of a solution for the problem with Pidgin storing password in
cleartext
------------------------+---------------------------------------------------
Reporter:  jacobchrist  |        Type:  patch             
  Status:  new          |   Component:  pidgin (gtk)      
 Version:  2.7.7        |    Keywords:  password cleartext
------------------------+---------------------------------------------------
 Hi,

 I´ve scanned throug the ticket database and found several tickets
 describing the problem we stumbled upon while planning to give all our
 users access to he Pidgin IM-client.

 Since users normally lack in the understanding of how to handle passwords
 securely we aim to keep it as simple as possible for them by demanding
 that all new solutions have some kind of Single Sign On. As of today we
 use MS Active Directory for our user accounts, and in this specific case
 we have set up an jabber nased IM-server to connect with AD so that our
 users can use their network account when logging in to the IM-server.

 The only problem is that the Pidgin client stores the password in
 cleartext. In Windows Vista & Windows 7 you can encrypt the folder or the
 specific password file to prevent network technicians from accessing the
 passwords by just connecting to the folder where it's stored. But this
 doesnt seem good enough since several customer supports get users to
 accept remote connections to the users computer when giving them support.
 The users also tend to lend out their logged in computer temporarily to
 other users without any thought what so ever :-(

 I´ve read about suggestions like using the Gnome-Keyring, removing the
 "save password" function and also just giving the user an alert ,when
 choosing to save password, saying something like "Beware! The password is
 stored unencrypted. Other users that access your computer might be able to
 retrieve your password."

 At the moment we have packaged version 2.7.7 and I've read the change log
 between version 2.7.7 and 2.7.11 without finding any solution for our
 problem.

 Is there a solution that we can use in our environment? As of today we use
 primarily clients with Windows Vista, but shortly we will also have
 clients with Windows 7, Linux, OS-X etc.

 In total we have 1500 clients used by approx. 2300 users nationwide.

 Any help would be appreciated!

 With regards
 /Jacob

-- 
Ticket URL: <http://developer.pidgin.im/ticket/13799>
Pidgin <http://pidgin.im>
Pidgin

More information about the Tracker mailing list