[Pidgin] #16800: Passwords not protected

Pidgin trac at pidgin.im
Wed Nov 4 05:17:18 EST 2015


#16800: Passwords not protected
---------------------+---------------------------------
 Reporter:  liar666  |      Owner:  EionRobb
     Type:  defect   |     Status:  new
Milestone:           |  Component:  unclassified
  Version:  2.10.11  |   Keywords:  Plaintext Passwords
---------------------+---------------------------------
 Using LaZagne, I discovered that Pidgin stores passwords in plain-text.

 Looking for a solution to this '''serious''' problem, I found the page:
 https://developer.pidgin.im/wiki/PlainTextPasswords

 There, I read:
 - "Instant messaging is not very secure, and it's kind of pointless to
 spend a lot of time adding protections onto the fairly strong file
 protections of UNIX (our native platform) when the protocols themselves
 aren't all that secure. The way to truly know who you are talking to is to
 use an encryption plugin on both ends (such as OTR or pidgin-encryption),
 and use verified GPG keys. Secondly, you shouldn't be using your instant
 messaging password for anything else."

 This argument is totally fallacious: nowadays, most of the IM accounts are
 related to more general accounts, like Google(+)/Yahoo/MSN-Skype/... So
 leaving accounts passwords exposed in plain text exposes '''a lot more
 information''' (personal & professional emails, web search history,
 localization data, applications install on mobile devices, etc.) than what
 the not-protected IM messaging protocols expose (a few stupid short
 messages between acquaintances that are often not even friends IRL)!!!

 - "none of these IM applications provide any sort of real password
 security <big list of other IM software>"

 This argument it also totally fallacious: this is not because there are
 plenty of others that do bad things, that we must do the same!!!!!
 Otherwise our societies would just be a bunch of people killing other
 people.

 - Finally, "Store a password(s) behind a password"
 there is no argument against this. This is what other software do in
 similar situations (Firefox, Thunderbird, etc.) and is what I would like
 to see implemented.

--
Ticket URL: <https://developer.pidgin.im/ticket/16800>
Pidgin <https://pidgin.im>
Pidgin


More information about the Tracker mailing list