If you are new to Unixmen, you may want to subscribe : 
|
27 September 2009
Posted in
Linux tutorials -
Linux tutorials
For pidgin users , there is a security issue regarding storing passwords in pidgin, so this program stores the passwords in archives .xml in clear text without any encryption. So any one can easily boot into recovery mode while you are away and find all your passwords in plain text. Then he can just copy the password files and opps he will got all the passwords easy way.
Read more at wiki page devellopment at http://developer.pidgin.im/wiki/PlainTextPasswords
See how pidgin store your passwords :
1- List all the content of .purple/
ls .purple/
Output
accels blist.xml icons prefs.xml status.xml
accounts.xml certificates logs smileys
2- Now open the file accounts.xml
cd .purple/
and type
gedit accounts.xml
See this how it looks like , the password in clear text
How to secure your pidgin accounts and passwords ?
Now actually if you want to secure your pidgin accounts and passwords, you need to use patch called Master password patch for Pidgin
Follow the installation steps in this post at ubuntu forums
But my advise is : Don`t autosave password in Pidgin for the moment, this mean that you have to type your password everytime you want to login to one of your accounts in pidgin, i see this as the safest way for the moment, because if you have to type the a password everytime you try to login , the password will not be stored in accounts.xml.
You can also see our article : Encrypt data in Linux/Unix
Links :
Related Articles By Tags:
Comments (20)
-
2009-09-28 02:46:20 | Mace Moneta - Encfs
I use an encfs mounted directory for all my application configuration files. Just move them into the directory and symlink them back to the root directory.
This way, you have a single secure store for all your private data, accessed with a single password after login.
You don't have to worry about insecure implementations in dozens of applications that have passwords (firefox, pidgin, chromium, google earth, pan2, wine, opera, etc.).
-
2009-09-28 03:59:58 | Lowell - This isn't news
it's been like this for years... I actually prefer it this way. This is the ONLY reason I use pidgin over Kopete. Kopete is less buggy but forces me to use KWallet which I can't stand.
-
You're wrong, Sir.
Kopete doesn't force you to use KWallet. If you don't want to use it, just say no when the message about Kopete trying to open the wallet pops up. Kopete will then ask for your password(s) and store them in the config file.
(for the sake of clarity, I am a Kopete developer).
. -
2009-09-28 04:16:41 | Jukka - encfs with ubuntu
Install latest stable Ubuntu and choose home directory encryption and your files are safe unless you login because then the encrypted home is mounted and root user can go and see the directory.
This option however is available only in alternate installer cd or by adding a command to the live cd boot loader command.
-
2009-09-28 04:50:04 | Anonymous
Unless you're using some type of hard disk encryption, which would render this "bug" meaningless, anyone with physical access to the machine can bypass any security therein.
-
i used to use this 2 year ago , lool
cat ~/.purple/accounts.xml |
grep -b 3 -ir "password" > secrets
-
2009-09-28 07:21:37 | Kevin - Rhythmbox does this as well
The last.fm plugin for Rhythmbox also stores the password as plain text. Go ahead, search gconf. I don't know why offer to store a password if they can't keep it secure...
-
2009-09-28 10:14:03 | Dummy00001 - ZOMG!!!
I save all my passwords in a.odt (previously a.txt) on my Desktop...
Big deal. To me this is a great feature.
I have never had password stolen, but lost passwords - combined with some sites extremely stupid recovery process - are the major PITA.
-
2009-09-28 13:04:41 | will_in_wi - Your point?
This has been known and understood for years. The point is that if they were to apply encryption, anyone could look at the source code and decrypt the passwords. The devs decided that it was better to store the passwords in plain text than to offer the illusion of security provided by encryption for which the key is known. You can use your own encryption on the HDD if you want.
-
2009-09-28 19:12:50 | Anonymous - Ivan Petroff
You're not a Unix man, man. Storing paswords in clear text is a true Unix way. Encryption is a function of FS, not application. Security and access is a function of an OS, not an application.
-
2009-09-28 19:29:49 |SAdministrator| zinovsky
Ivan, thank you for your comment, the goel of this article is to show people that some applications store password in clear text, not just Pidgin but many others doing the same, so linux users especialy newbies has to learn how to secure their OS.
-
congrats for discovering this. it was like this for years. personally i get this articol like a rant agaisnt them.
-
2009-09-29 14:34:25 | Jack Dumas
1999 called and they want their headline back.
Thankfully I use Linux and Solaris
-
2009-09-30 07:01:34 | Bonster - Empathy is on the same boat
seems like empathy messenger is doing the same, password is store in plain text, so much for linux and security loL
~/.mission-control/accounts/accounts.cfg
-
2009-09-30 07:41:20 | Andrey - This is dangerous NLP
This article is dangerous nonsense. Encryption and security can and should be handled on a system level and there are way too many ways to do that on Linux or Windows.
If pidgin starts storing passwords so that THE user cannot see HER password, that would be a devastating result of dangerous NLP like this article.
"they said that they will try to resolve this issue in futures releases" -- they don't say that anywhere, and on the contrary, they explain very nicely why the current way of storing passwords is the most proper one. Did you even read the linked wiki page at http://developer.pidgin.im/wiki/PlainTextPasswords (or the screenshot you posted, which plainly says "this is unlikely to be changed")?