Google Plus

Pidgin store passwords in clear text!!!!

Written by Mel Kham on . Posted in Linux tutorials

For pidgin users , there is a security issue regarding storing passwords in pidgin, so this program stores the passwords in archives .xml in clear text without any encryption. So any one can easily boot into recovery mode while you are away and find all your passwords in plain text. Then he can just copy the password files and opps he will got all the passwords easy way.




Read more at wiki page devellopment at http://developer.pidgin.im/wiki/PlainTextPasswords

See how pidgin store your passwords :

1- List all the content of .purple/

ls .purple/
Output
accels        blist.xml     icons  prefs.xml  status.xml

accounts.xml  certificates  logs   smileys

2- Now open the file accounts.xml

cd .purple/

and type 

gedit accounts.xml

See this how it looks like , the password in clear text

How to secure your pidgin accounts and passwords ?

Now actually if you want to secure your pidgin accounts and passwords, you need to use patch called Master password patch for Pidgin

Follow the installation steps in this post at ubuntu forums

But my advise is : Don`t autosave password in Pidgin for the moment, this mean that you have to type your password everytime you want to login to one of your accounts in pidgin, i see this as the safest way for the moment, because if you have to type the a password everytime you try to login  , the password will not be stored in accounts.xml.

You can also see our article :  Encrypt data in Linux/Unix

Links :

For questions please refer to our Q/A forum at : http://ask.unixmen.com

Related posts:

  1. Ubuntu Software Store renamed
  2. 10 important Security and privacy addons for Firefox

25 Comment(s)

Mel Kham

Founder of Unixmen, Living in Amsterdam. Am working in my free time to help people to understand the Opensource and to explain them in easy way how to make the fist steps to the the light. Working day and night with my Co-founder Zinovsky to keep this website live even with less resources.
  • Meh

    “[b]they said that they will try to resolve this issue in futures releases[/b]” — they don’t say that anywhere, and on the contrary, they explain very nicely why the current way of storing passwords is the most proper one. Did you even read the linked wiki page at http://developer.pidgin.im/wiki/PlainTextPasswords (or the screenshot you posted, which plainly says “this is unlikely to be changed”)?

  • dan

    It’s been this way for YEARS

  • Mace Moneta

    I use an encfs mounted directory for all my application configuration files. Just move them into the directory and symlink them back to the root directory.

    This way, you have a single secure store for all your private data, accessed with a single password after login.

    You don’t have to worry about insecure implementations in dozens of applications that have passwords (firefox, pidgin, chromium, google earth, pan2, wine, opera, etc.).

  • Lowell

    it’s been like this for years… I actually prefer it this way. This is the ONLY reason I use pidgin over Kopete. Kopete is less buggy but forces me to use KWallet which I can’t stand.

    • http://kopete.kde.org Cláudio Pinheiro

      You’re wrong, Sir.
      Kopete doesn’t force you to use KWallet. If you don’t want to use it, just say no when the message about Kopete trying to open the wallet pops up. Kopete will then ask for your password(s) and store them in the config file.
      (for the sake of clarity, I am a Kopete developer).

  • http://minaev.blogspot.com Dmitri Minaev

    To begin with, don’t save the password :).

  • Jukka

    Install latest stable Ubuntu and choose home directory encryption and your files are safe unless you login because then the encrypted home is mounted and root user can go and see the directory.

    This option however is available only in alternate installer cd or by adding a command to the live cd boot loader command.

  • Anonymous

    Unless you’re using some type of hard disk encryption, which would render this “bug” meaningless, anyone with physical access to the machine can bypass any security therein.

  • http://weblog.0pens0urce.com caspereeko

    i used to use this 2 year ago , lool

    cat ~/.purple/accounts.xml |
    grep -b 3 -ir “password” > secrets

  • Kevin

    The last.fm plugin for Rhythmbox also stores the password as plain text. Go ahead, search gconf. I don’t know why offer to store a password if they can’t keep it secure…

  • Dummy00001

    I save all my passwords in a.odt (previously a.txt) on my Desktop…

    Big deal. To me this is a great feature.

    I have never had password stolen, but lost passwords – combined with some sites extremely stupid recovery process – are the major PITA.

  • http://Mediocre-Ninja.blogSpot.com Mediocre-Ninja.blogSpot.com

    if they are able to boot single mode… ;-)

    • Anonymous

      not with debian :P

  • will_in_wi

    This has been known and understood for years. The point is that if they were to apply encryption, anyone could look at the source code and decrypt the passwords. The devs decided that it was better to store the passwords in plain text than to offer the illusion of security provided by encryption for which the key is known. You can use your own encryption on the HDD if you want.

  • Anonymous

    You’re not a Unix man, man. Storing paswords in clear text is a true Unix way. Encryption is a function of FS, not application. Security and access is a function of an OS, not an application.

    • zinovsky

      Ivan, thank you for your comment, the goel of this article is to show people that some applications store password in clear text, not just Pidgin but many others doing the same, so linux users especialy newbies has to learn how to secure their OS.

  • http://archlunux.ro ioni

    congrats for discovering this. it was like this for years. personally i get this articol like a rant agaisnt them.

  • Jack Dumas

    1999 called and they want their headline back.

    Thankfully I use Linux and Solaris

  • Bonster

    seems like empathy messenger is doing the same, password is store in plain text, so much for linux and security loL
    ~/.mission-control/accounts/accounts.cfg

    • http://enteryoursiteURL... Tux

      @Bonster said:
      "seems like empathy messenger is doing the same, password is store in plain text, so much for linux and security loL
      ~/.mission-control/accounts/accounts.cfg"

      Wrong, don’t spread FUD. Empathy stores passwords in Gnome keyring: ~/.gnome2/keyrings

  • Andrey

    This article is dangerous nonsense. Encryption and security can and should be handled on a system level and there are way too many ways to do that on Linux or Windows.

    If pidgin starts storing passwords so that THE user cannot see HER password, that would be a devastating result of dangerous NLP like this article.

  • owie

    how about in vista?

  • http://www.bestfinance-blog.com Marquez24CHRISTIAN

    If you are in the corner and have got no money to get out from that, you would require to receive the personal loans. Because it will aid you emphatically. I get commercial loan every year and feel myself fine just because of it.

  • http://www.georgemihail.blogspot.com george

    will this ever change? it’s 2011 and i still found that behavior on my sistem with pidgin :O

  • buuba

    That’s a good thing I could recover the password I forgot ezly =D

Like us on Facebook

This week Top Posts

Write for us

Recent Posts

Recent Posts

Recent Comments

pigmej

|

Just one thing:

What about pep8 in your python code ? How can you give ‘tutorials’ on quite popular website, of such a bad quality ?

Amit Rai

|

I just renamed shared.xml and it logged in and created a new shared.xml.

DB Griffin

|

Larry Page is not being completely honest! The manner in which the PRISM program/project works does not need access from company administrators or owners, so called “direct access”; the access to the information is already there. These tech company CEOs take for granted the actual intelligence of most end users of their products. All it takes is a little digging and reading to go from ignorant to informed on these things especially on exactly how the internet works/functions in the U.S.A. I find Larry Page’s remarks just as laughable as Al Gore’s claim to “inventing” the internet/world wide web!

If you, as an end user, are reading this post; I challenge you to research these matters yourself. It really is quite simple with all the “information sites” that exist on the web today ie Wikipedia, & other online encyclopedias that actually list source material, as well as highly respected tech sites and blogs that also list their source material. Be warned: this is only the tip of the iceberg and these tech CEOs know and understand this; they are scrambling in attempt to perform DAMAGE CONTROL to save the company and what little trust thay have left from their products end users/consumers.

Am I a skeptic? I believe someone has to be or needs to be at this point in time! If your not just a little skeptical of the government, tech companies, and the people that are in charge of these agencies and companies; you need to be, even if just a little skeptic. For your own personal protection and security! I know I was a part of this community for over 14 years!

Anders Jackson

|

As I understand it so do VLC use same encoders as ffmpeg. And yes, there are less code that can break when you use command line instead of a graphical UI.

And may I ask what mono has to do with VLC? *facepalm*

Anders Jackson

|

Just some thoughts about Java.

OpenJDK7 are now THE Java implementation and Oracles are just one more of the reimplementations. So you should not need to install Oracles version.

And you really don’t need to remove the OpenJDK7 installation to also have Sun Java JDK 7. Just run

sudo update-java-alternatives –list

and select which java you want to have as default java of all that is installed.

And if you want to run a program with one special version, check manpage for java-wrappers how to do that.

man java-wrappers

so you can run java program rasterizer like this:

JAVA_FLAVOR=openjdk rasterizer
JAVA_ARGS=-Xmx80m rasterizer

JAVA_BINDIR=/usr/share/

etc

 

Favorite Links

Unixmen Archive

Tags Cloud

android browser Centos chrome Debian eyecandy Fedora firefox games gaming gnome google karmic koala kde libreoffice Linux linux distribution LinuxMint lucid lynx maverick meerkat media player mysql Natty Narwhal news oneiric ocelot openoffice opensource opensuse oracle ppa Precise Pangolin release RHEL security server software themes tools ubuntu unix upgrade virtualbox vlc windows wine

Unixmen Twitts

IDG Tech Network
Copyright © 2008-2013 Unixmen.com .
Maintained by Anblik .