Pidgin store passwords in clear text!!!!

"they said that they will try to resolve this issue in futures releases" -- they don't say that anywhere, and on the contrary, they explain very nicely why the current way of storing passwords is the most proper one. Did you even read the linked wiki page at http://developer.pidgin.im/wiki/PlainTextPasswords (or the screenshot you posted, which plainly says "this is unlikely to be changed")?

It's been this way for YEARS

I use an encfs mounted directory for all my application configuration files. Just move them into the directory and symlink them back to the root directory.

This way, you have a single secure store for all your private data, accessed with a single password after login.

You don't have to worry about insecure implementations in dozens of applications that have passwords (firefox, pidgin, chromium, google earth, pan2, wine, opera, etc.).

it's been like this for years... I actually prefer it this way. This is the ONLY reason I use pidgin over Kopete. Kopete is less buggy but forces me to use KWallet which I can't stand.

You're wrong, Sir.
Kopete doesn't force you to use KWallet. If you don't want to use it, just say no when the message about Kopete trying to open the wallet pops up. Kopete will then ask for your password(s) and store them in the config file.
(for the sake of clarity, I am a Kopete developer).

To begin with, don't save the password .

Install latest stable Ubuntu and choose home directory encryption and your files are safe unless you login because then the encrypted home is mounted and root user can go and see the directory.

This option however is available only in alternate installer cd or by adding a command to the live cd boot loader command.

Unless you're using some type of hard disk encryption, which would render this "bug" meaningless, anyone with physical access to the machine can bypass any security therein.

i used to use this 2 year ago , lool

cat ~/.purple/accounts.xml |
grep -b 3 -ir "password" > secrets

The last.fm plugin for Rhythmbox also stores the password as plain text. Go ahead, search gconf. I don't know why offer to store a password if they can't keep it secure...

I save all my passwords in a.odt (previously a.txt) on my Desktop...

Big deal. To me this is a great feature.

I have never had password stolen, but lost passwords - combined with some sites extremely stupid recovery process - are the major PITA.

if they are able to boot single mode... ;-)

not with debian

This has been known and understood for years. The point is that if they were to apply encryption, anyone could look at the source code and decrypt the passwords. The devs decided that it was better to store the passwords in plain text than to offer the illusion of security provided by encryption for which the key is known. You can use your own encryption on the HDD if you want.

You're not a Unix man, man. Storing paswords in clear text is a true Unix way. Encryption is a function of FS, not application. Security and access is a function of an OS, not an application.

Ivan, thank you for your comment, the goel of this article is to show people that some applications store password in clear text, not just Pidgin but many others doing the same, so linux users especialy newbies has to learn how to secure their OS.

congrats for discovering this. it was like this for years. personally i get this articol like a rant agaisnt them.

1999 called and they want their headline back.

Thankfully I use Linux and Solaris

seems like empathy messenger is doing the same, password is store in plain text, so much for linux and security loL
~/.mission-control/accounts/accounts.cfg

This article is dangerous nonsense. Encryption and security can and should be handled on a system level and there are way too many ways to do that on Linux or Windows.

If pidgin starts storing passwords so that THE user cannot see HER password, that would be a devastating result of dangerous NLP like this article.