Pidgin store passwords in clear text!!!!

For pidgin users , there is a security issue regarding storing passwords in pidgin, so this program stores the passwords in archives .xml in clear text without any encryption. So any one can easily boot into recovery mode while you are away and find all your passwords in plain text. Then he can just copy the password files and opps he will got all the passwords easy way.

Read more at wiki page devellopment at

See how pidgin store your passwords :

1- List all the content of .purple/

ls .purple/
accels blist.xml icons prefs.xml status.xml

accounts.xml certificates logs smileys

2- Now open the file accounts.xml

cd .purple/

and type

gedit accounts.xml

See this how it looks like , the password in clear text

How to secure your pidgin accounts and passwords ?

Now actually if you want to secure your pidgin accounts and passwords, you need to use patch called Master password patch for Pidgin

Follow the installation steps in this post at ubuntu forums

But my advise is : Don`t autosave password in Pidgin for the moment, this mean that you have to type your password everytime you want to login to one of your accounts in pidgin, i see this as the safest way for the moment, because if you have to type the a password everytime you try to login  , the password will not be stored in accounts.xml.

You can also see our article :  Encrypt data in Linux/Unix

Links :

  • Meh

    “[b]they said that they will try to resolve this issue in futures releases[/b]” — they don’t say that anywhere, and on the contrary, they explain very nicely why the current way of storing passwords is the most proper one. Did you even read the linked wiki page at (or the screenshot you posted, which plainly says “this is unlikely to be changed”)?

  • dan

    It’s been this way for YEARS

  • Mace Moneta

    I use an encfs mounted directory for all my application configuration files. Just move them into the directory and symlink them back to the root directory.

    This way, you have a single secure store for all your private data, accessed with a single password after login.

    You don’t have to worry about insecure implementations in dozens of applications that have passwords (firefox, pidgin, chromium, google earth, pan2, wine, opera, etc.).

  • Lowell

    it’s been like this for years… I actually prefer it this way. This is the ONLY reason I use pidgin over Kopete. Kopete is less buggy but forces me to use KWallet which I can’t stand.

  • Dmitri Minaev

    To begin with, don’t save the password :).

  • Jukka

    Install latest stable Ubuntu and choose home directory encryption and your files are safe unless you login because then the encrypted home is mounted and root user can go and see the directory.

    This option however is available only in alternate installer cd or by adding a command to the live cd boot loader command.

  • Anonymous

    Unless you’re using some type of hard disk encryption, which would render this “bug” meaningless, anyone with physical access to the machine can bypass any security therein.

  • caspereeko

    i used to use this 2 year ago , lool

    cat ~/.purple/accounts.xml |
    grep -b 3 -ir “password” > secrets

  • Kevin

    The plugin for Rhythmbox also stores the password as plain text. Go ahead, search gconf. I don’t know why offer to store a password if they can’t keep it secure…

  • Dummy00001

    I save all my passwords in a.odt (previously a.txt) on my Desktop…

    Big deal. To me this is a great feature.

    I have never had password stolen, but lost passwords – combined with some sites extremely stupid recovery process – are the major PITA.


    if they are able to boot single mode… ;-)

  • will_in_wi

    This has been known and understood for years. The point is that if they were to apply encryption, anyone could look at the source code and decrypt the passwords. The devs decided that it was better to store the passwords in plain text than to offer the illusion of security provided by encryption for which the key is known. You can use your own encryption on the HDD if you want.

  • Anonymous

    You’re not a Unix man, man. Storing paswords in clear text is a true Unix way. Encryption is a function of FS, not application. Security and access is a function of an OS, not an application.

  • zinovsky

    Ivan, thank you for your comment, the goel of this article is to show people that some applications store password in clear text, not just Pidgin but many others doing the same, so linux users especialy newbies has to learn how to secure their OS.

  • Anonymous

    not with debian :P

  • ioni

    congrats for discovering this. it was like this for years. personally i get this articol like a rant agaisnt them.

  • Jack Dumas

    1999 called and they want their headline back.

    Thankfully I use Linux and Solaris

  • Cláudio Pinheiro

    You’re wrong, Sir.
    Kopete doesn’t force you to use KWallet. If you don’t want to use it, just say no when the message about Kopete trying to open the wallet pops up. Kopete will then ask for your password(s) and store them in the config file.
    (for the sake of clarity, I am a Kopete developer).

  • Bonster

    seems like empathy messenger is doing the same, password is store in plain text, so much for linux and security loL

  • Andrey

    This article is dangerous nonsense. Encryption and security can and should be handled on a system level and there are way too many ways to do that on Linux or Windows.

    If pidgin starts storing passwords so that THE user cannot see HER password, that would be a devastating result of dangerous NLP like this article.

  • owie

    how about in vista?

  • http://enteryoursiteURL... Tux

    @Bonster said:
    "seems like empathy messenger is doing the same, password is store in plain text, so much for linux and security loL

    Wrong, don’t spread FUD. Empathy stores passwords in Gnome keyring: ~/.gnome2/keyrings

  • Marquez24CHRISTIAN

    If you are in the corner and have got no money to get out from that, you would require to receive the personal loans. Because it will aid you emphatically. I get commercial loan every year and feel myself fine just because of it.

  • george

    will this ever change? it’s 2011 and i still found that behavior on my sistem with pidgin :O

  • buuba

    That’s a good thing I could recover the password I forgot ezly =D