Pidgin’s Plaintext Passwords

August 11, 2008

This has actually bothered me for quite some time now (even back when pidgin was called GAIM). That is the simple fact that when you want to have pidgin save your login password it is saved: in an easy to access location, and in an unencrypted fashion. Here is the excerpt from my ~/.purple/accounts.xml file:

<account>
     <protocol>prpl-aim</protocol>
		<name>fake_account</name>
		<password>secret_password</password>

So I ask you, is this a good idea? Well I sure don’t think so. Yeah, you could argue that under the perfect scenario a person wouldn’t be able to view that file without the login information for the computer. However, how many times have you walked away from the computer and forgotten to lock the screen? It still happens to me from time to time, and I’m willing to bet it could happen to anyone. So, in less than a minute someone could have easily found that password in the config file.

The moral of the story here is that perhaps you shouldn’t have pidgin save your passwords. At least until they implement some level of encryption. Don’t get me wrong though, I love pidgin, and it is a great IM client 🙂 .

Advertisements