Menu
▾
▴
Re: plain text passwords [wasRe: [Gaim-devel] libyahoo2 integration?]
|
From: <lsc...@re...> - 2002-07-26 18:37:40
|
On Fri, Jul 26, 2002 at 02:29:12PM -0400, lsc...@re... wrote: > On Fri, Jul 26, 2002 at 02:19:59PM -0400, Robert Story wrote: > > On Thu, 25 Jul 2002 15:11:59 -0400 Luke Schierer > > <lsc...@re...> wrote: > > LS> I agree with Sean, its a horrible idea. > > > > I disagree. Storing plain text passwords are a terrible idea. > > > > LS> if someone can see your .gaimrc file, encrypting it won't help. > > LS> they'll just copy it and use gaim itself, > > > > The ability to see a file does not imply the ability to copy it. > > if you can see it, you can read it. if you can read it, now can you NOT be able to copy it. ugh. i can't type it seems, "how" not "now". > <snip> > > i repeat, it is no greater security. the only way it would be greater security is > if the passwords were not decrypted by gaim. its not even a valid lock. its like > saying you've locked something by using rot13. you've made it harder for someone to > accidentally see your passwd yes, but no ones going to be accidentally seeing a .file > in your home directory. anyone who has the know-how to get to your .gaimrc file would > be able to get to the password. > luke and even then, it would still be a mostly false sense of security because gaim would still give you access to the change password option for the various protocols. so the attacker would still have access to your account itself, and your buddy lists by simply copying the .gaimrc file complete with encrypted passwords to a computer or account from which he or she can run gaim. keeping the passwords in plain text forces people who are security concious, and thus are the people noticing that gaim has plain text passwords, to evaluate whether or not they want to be storing passwords (it IS an option) on a given computer PERIOD. and THAT is a greater security than allowing people to think they have secured things by having an encrypted .gaimrc that anyone with half a brain can work around. luke -- -This email is made of 100% recycled electrons. |
