Menu
▾
▴
Re: plain text passwords [wasRe: [Gaim-devel] libyahoo2 integration?]
|
From: <lsc...@re...> - 2002-07-26 18:29:14
|
On Fri, Jul 26, 2002 at 02:19:59PM -0400, Robert Story wrote: > On Thu, 25 Jul 2002 15:11:59 -0400 Luke Schierer > <lsc...@re...> wrote: > LS> I agree with Sean, its a horrible idea. > > I disagree. Storing plain text passwords are a terrible idea. > > LS> if someone can see your .gaimrc file, encrypting it won't help. > LS> they'll just copy it and use gaim itself, > > The ability to see a file does not imply the ability to copy it. if you can see it, you can read it. if you can read it, now can you NOT be able to copy it. > > LS> or a decrypter based on gaim's decryption of the passwds to read your > LS> passwords anyway. > > This assumes a certain level of knowledge on the part of the attacker. The > number of people who can copy down plain text far exceeds the number of people > who can find/run a decrypter. no. it assumes that the atacker can copy the file, stick it in his/her home directory, and use gaim's change password option. secondly, your attacker already beat the unix file permissions via some exploit, so he or she has a level of knowledge to do something far more trivial. > > LS> cannot trust the security of the unix permissions. encrypting.gaimrc would > LS> only provide a FALSE sense of greater security. > > No, it is not a FALSE sense of greater security. It is greater security. Just > because it isn't perfect doesn't mean it isn't better. Having a door on my > house provides a greater sense of security. Having a lock on the door provides > an even greater sense of security. Just because some criminals can pick the lock doesn't mean I shouldn't lock it too keep out the ones that can't. i repeat, it is no greater security. the only way it would be greater security is if the passwords were not decrypted by gaim. its not even a valid lock. its like saying you've locked something by using rot13. you've made it harder for someone to accidentally see your passwd yes, but no ones going to be accidentally seeing a .file in your home directory. anyone who has the know-how to get to your .gaimrc file would be able to get to the password. luke -- -This email is made of 100% recycled electrons. |
