Pidgin’s Plaintext Passwords

This has actually bothered me for quite some time now (even back when pidgin was called GAIM). That is the simple fact that when you want to have pidgin save your login password it is saved: in an easy to access location, and in an unencrypted fashion. Here is the excerpt from my ~/.purple/accounts.xml file:

<account>
     <protocol>prpl-aim</protocol>
		<name>fake_account</name>
		<password>secret_password</password>

So I ask you, is this a good idea? Well I sure don’t think so. Yeah, you could argue that under the perfect scenario a person wouldn’t be able to view that file without the login information for the computer. However, how many times have you walked away from the computer and forgotten to lock the screen? It still happens to me from time to time, and I’m willing to bet it could happen to anyone. So, in less than a minute someone could have easily found that password in the config file.

The moral of the story here is that perhaps you shouldn’t have pidgin save your passwords. At least until they implement some level of encryption. Don’t get me wrong though, I love pidgin, and it is a great IM client 🙂 .

Advertisements

8 Responses to Pidgin’s Plaintext Passwords

  1. Wes says:

    You have a really bad password dude.

  2. Nolochemical says:

    Great tip, what is your idea for a fix?

    • jintoreedwine says:

      Well, I’m not exactly sure how they could fix this. I would recommend just not having pidgin store your password. Even if they encrypted it the encryption key would have to be hard coded somewhere. Although that would make it slightly harder to get the password it still would be possible. I just avoid storing the password. It is kind of annoying to type it in, but I’ll take that inconvenience for security sake.

    • No, they don’t. All you need to do is encrypt the account information with AES , then ask the user to identify with a “master password”. The fact that they think this is too inconvenient for users is retarded, and the reason I use Bitlbee.

      They could also take the approach that Google Chrome takes, and encrypt the password with the underlying operating system crypt APIs. For GNU/Linux, it would mean tying in with KWallet or GNOME Keyring. For Windows, it would be the Crypt API, and Mac OS X, it would be the Keychain. Then, when the user logs into the system, Pidgin would have access to the encrypted password of the account.

      This is crypto 101, and the Pidgin devs fail at it, clearly.

  3. matt says:

    That pidgin wiki is complete @&^$*)@$. So what if IM is not the safest protocol on the Internet? It’s still not trivial to get someone else’s password. All the developers need to do is use something like MD5 encryption for the passwords. MD5 is a one way encryption and thus cannot be cracked by just having the encrypted password. Having plain text passwords in a file that could easily read by anyone with read access to that file (ie root user) is &%$@ing retarded.

    • Joel says:

      Are you trolling? MD5 is not an encryption, but an hash. You are correct that a one-way hash cannot easily be undone, but how is Pidgin going to authenticate with the IM network if it cannot decrypt its own saved passwords? Some IM networks authenticate with plaintext so every time Pidgin wants to authenticate it needs to know the plaintext password.

      The problem with any type of encryption is that it needs a unique key for decryption that cannot be stored on the computer. Otherwise you are storing the lock and key together. The only way to get an encryption key external to the computer is to have the user supply it. That defeats the purpose of saving the passwords for most intents. I save my passwords because I do not want to type any password.

      On their website they do mention that they have done some work with integrating it into “Keychains”, but Windows does not have one built in.

  4. Simon says:

    It should be linked to gnome-keyring, or similar. The solution is obvious, really. I’m surprised this still is not sorted.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: