Password Encryption

Status: Inactive

Brought to you by: tvierling

#11 Password Encryption

Milestone: 0.75

Status: open

Owner: nobody

Labels: opengaim (27)

Priority: 2

Updated: 2004-03-30

Created: 2004-03-26

Creator: Matt Perry

Private: No

This is a good idea that was shot down for stupid
reasons several times on the gaim list:

"The password information is visible for anyone it opens
the gaimrc file. I want suggest the encryption of almost
the password information."

see rfe <a
href="http://sourceforge.net/tracker/index.php?func=detail&aid=785702&group_id=235&atid=350235">here</a>

Discussion

Todd Vierling - 2004-03-26

labels: --> opengaim

milestone: --> 0.75

assigned_to: nobody --> tvierling
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Todd Vierling - 2004-03-26

priority: 5 --> 6
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Todd Vierling - 2004-03-26

priority: 6 --> 2
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Todd Vierling - 2004-03-26

Logged In: YES
user_id=596653

It's worth noting that any type of encryption used must be
two-way, that is, trivially decryptable back to plaintext.
This is true of all "save password" mechanisms, because the
plaintext password will be needed in order to log back into
the service.

That said, it would be possible to add a garbling mechanism
that creates at least a way to prevent *visual* inspection
of the password.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matt Perry - 2004-03-27

Logged In: YES
user_id=754524

Yeah, the encryption can be very simple. It would just be
nice to deter casual snoops. A good way to do this might be
to allow the user to pick a key at compile time, and
encrypt/decrypt based on this private key.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Jerry Kilpatrick - 2004-03-30

Logged In: YES
user_id=951336

In reading why the initial gaim developers did not do
something like gpg the accounts.xml file, other than some
reasoning that I couldn't quite follow, the accounts.xml is
written to while gaim is run.

It seems the solution to this is find what information needs
to be written to and move it elsewhere, OR the idea I like
the most, follow the shadow password file idea and put some
kind of key word in for the password if it's located in the
encrypted file so you can decrypt to memory, load it, and
flush memory.

So when gaim goes to load up all your accounts, if it sees
*encrypted* as the password it will prompt you for your
passphrase and load the password from that file. This would
cause little change to the way accounts.xml is used, and
cause less deviation from the original branch in case they
make some huge change.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Matt Perry - 2004-03-30

Logged In: YES
user_id=754524

Personally, I'd prefer a simpler encryption method, one that
doesn't require you to type a password every time you log
on. For my purposes, mere garbling would be sufficient to
deter most people from viewing my passwords. I do see how a
centralized password holder would be useful for people with
multiple accounts though. Perhaps an option to choose
between the two somehow.

If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Todd Vierling - 2004-03-30

assigned_to: tvierling --> nobody
If you would like to refer to this comment somewhere else in this project, copy and paste the following link:

Log in to post a comment.