[Pidgin] #16800: Passwords not protected

Wed Nov 4 05:26:53 EST 2015

#16800: Passwords not protected
---------------------------------+---------------------------
 Reporter:  liar666              |       Owner:  EionRobb
     Type:  defect               |      Status:  new
Milestone:                       |   Component:  unclassified
  Version:  2.10.11              |  Resolution:
 Keywords:  Plaintext Passwords  |
---------------------------------+---------------------------
Description changed by liar666:

Old description:

> Using LaZagne, I discovered that Pidgin stores passwords in plain-text.
>
> Looking for a solution to this '''serious''' problem, I found the page:
> https://developer.pidgin.im/wiki/PlainTextPasswords
>
> There, I read:
> - "Instant messaging is not very secure, and it's kind of pointless to
> spend a lot of time adding protections onto the fairly strong file
> protections of UNIX (our native platform) when the protocols themselves
> aren't all that secure. The way to truly know who you are talking to is
> to use an encryption plugin on both ends (such as OTR or pidgin-
> encryption), and use verified GPG keys. Secondly, you shouldn't be using
> your instant messaging password for anything else."
>
> This argument is totally fallacious: nowadays, most of the IM accounts
> are related to more general accounts, like Google(+)/Yahoo/MSN-Skype/...
> So leaving accounts passwords exposed in plain text exposes '''a lot more
> information''' (personal & professional emails, web search history,
> localization data, applications install on mobile devices, etc.) than
> what the not-protected IM messaging protocols expose (a few stupid short
> messages between acquaintances that are often not even friends IRL)!!!
>
> - "none of these IM applications provide any sort of real password
> security <big list of other IM software>"
>
> This argument it also totally fallacious: this is not because there are
> plenty of others that do bad things, that we must do the same!!!!!
> Otherwise our societies would just be a bunch of people killing other
> people.
>
> - Finally, "Store a password(s) behind a password"
> there is no argument against this. This is what other software do in
> similar situations (Firefox, Thunderbird, etc.) and is what I would like
> to see implemented.

New description:

 Using LaZagne, I discovered that Pidgin stores passwords in plain-text.

 Looking for a solution to this '''serious''' problem, I found the page:
 https://developer.pidgin.im/wiki/PlainTextPasswords

 There, I read:
 - "Instant messaging is not very secure, and it's kind of pointless to
 spend a lot of time adding protections onto the fairly strong file
 protections of UNIX (our native platform) when the protocols themselves
 aren't all that secure. The way to truly know who you are talking to is to
 use an encryption plugin on both ends (such as OTR or pidgin-encryption),
 and use verified GPG keys. Secondly, you shouldn't be using your instant
 messaging password for anything else."

 This argument is totally fallacious: nowadays, most of the IM accounts are
 related to more general accounts, like Google(+)/Yahoo/MSN-Skype/... So
 leaving accounts passwords exposed in plain text exposes '''a lot more
 information''' (personal & professional emails, web search history,
 localization data, applications install on mobile devices, etc.) than what
 the not-protected IM messaging protocols expose (a few stupid short
 messages between acquaintances that are often not even friends IRL)!!!

 - "none of these IM applications provide any sort of real password
 security <big list of other IM software>"

 This argument it also totally fallacious: this is not because there are
 plenty of others that do bad things, that we must do the same!!!!!
 Otherwise our societies would just be a bunch of people killing other
 people.

 - Finally, "Store a password(s) behind a password"
 there is no argument against this. This is what other software do in
 similar situations (Firefox, Thunderbird, etc.) and is what I would like
 to see implemented.

 By the way, I think you would agree with the following page about the
 trojan running a keylogger:
 https://forum.filezilla-project.org/viewtopic.php?t=32286
 But you would be wrong: in computer, there is no 100% security. ''The
 purpose of computer security is not to guarantee your personal data will
 never be accessed'' ('''this is impossible''') ''but to make any intrusion
 as difficult as possible''. Considering this, writing a trojan that runs a
 keylogger requires '''a lot more skills''' than script kidding a forged
 email/macro/pdf-file/whatever-you-want that reads a plain text file (at
 least on Unices)!

--

--
Ticket URL: <https://developer.pidgin.im/ticket/16800#comment:1>
Pidgin <https://pidgin.im>
Pidgin