On Fri, Jul 26, 2002 at 02:19:59PM -0400, Robert Story wrote:
> On Thu, 25 Jul 2002 15:11:59 -0400 Luke Schierer
> <lschiere@...> wrote:
> LS> I agree with Sean, its a horrible idea.
> I disagree. Storing plain text passwords are a terrible idea.
The whole problem is that even if you store a plain-text password, all
it takes is for somebody to copy your .gaimrc, log into your accounts,
and change your passwords. The way to prevent this is to set the
permissions on your .gaimrc so it can only be seen by you. And
amazingly, this prevents the need for them to be encrypted.
> LS> if someone can see your .gaimrc file, encrypting it won't help.
> LS> they'll just copy it and use gaim itself,
> The ability to see a file does not imply the ability to copy it.
If you can read it, you can copy it.
> LS> or a decrypter based on gaim's decryption of the passwds to read your
> LS> passwords anyway.
> This assumes a certain level of knowledge on the part of the attacker. The
> number of people who can copy down plain text far exceeds the number of people
> who can find/run a decrypter.
Those people would have to be root. Don't trust root? Find a new
computer, or just don't run it there.
> LS> cannot trust the security of the unix permissions. encrypting.gaimrc would
> LS> only provide a FALSE sense of greater security.
> No, it is not a FALSE sense of greater security. It is greater security. Just
> because it isn't perfect doesn't mean it isn't better. Having a door on my
> house provides a greater sense of security. Having a lock on the door provides
> an even greater sense of security. Just because some criminals can pick the lock doesn't mean I shouldn't lock it too keep out the ones that can't.
It is no security. People can still change your passwords, mess with
your accounts, or whatever. It DOES provide a false sense of security,
because you think encrypted passwords will keep your accounts safe. In
reality, a simple `cp /home/mrfoo/.gaimrc /home/ev1lh4x0r && gaim`
would give access to all your accounts and buddy lists. However, if
the account is chmod 600, only YOU can see it, and nobody can copy it.
That is, of course, unless somebody breaks into your account or root
is a BOFH, but then you have much, much bigger problems to worry
Christian Hammond <> The GNUpdate Project
chipx86@... <> http://www.gnupdate.org/
If you ever drop your keys into a river of molten lava, let'em go,
because, man, they're gone.
-- Bill Austin