Menu
▾
▴
[Fwd: Re: plain text passwords [wasRe: [Gaim-devel] libyahoo2 integration?]]
|
From: Morgan C. [Ax0n] <sir...@mo...> - 2002-07-27 00:25:41
|
I think that if you encrypted the password, it would be wise to require the user to enter their previous password before changing their password anyways. > On Fri, Jul 26, 2002 at 02:29:12PM -0400, > lsc...@re... wrote: >> On Fri, Jul 26, 2002 at 02:19:59PM -0400, Robert Story wrote: >> > On Thu, 25 Jul 2002 15:11:59 -0400 Luke Schierer >> > <lsc...@re...> wrote: >> > LS> I agree with Sean, its a horrible idea. >> > >> > I disagree. Storing plain text passwords are a terrible idea. >> > >> > LS> if someone can see your .gaimrc file, encrypting it won't help. >> LS> they'll just copy it and use gaim itself, >> > >> > The ability to see a file does not imply the ability to copy it. >> >> if you can see it, you can read it. if you can read it, now can you >> NOT be able to copy it. > > ugh. i can't type it seems, "how" not "now". > >> > > <snip> > >> >> i repeat, it is no greater security. the only way it would be greater >> security is if the passwords were not decrypted by gaim. its not >> even a valid lock. its like saying you've locked something by using >> rot13. you've made it harder for someone to accidentally see your >> passwd yes, but no ones going to be accidentally seeing a .file in >> your home directory. anyone who has the know-how to get to your >> .gaimrc file would be able to get to the password. >> luke > > and even then, it would still be a mostly false sense of security > because gaim would still give you access to the change password > option for the various protocols. so the attacker would still have > access to your account itself, and your buddy lists by simply copying > the .gaimrc file complete with encrypted passwords to a computer or > account from which he or she can run gaim. keeping the passwords in > plain text forces people who are security concious, and thus are the > people noticing that gaim has plain text passwords, to evaluate > whether or not they want to be storing passwords (it IS an option) on > a given computer PERIOD. > > and THAT is a greater security than allowing people to think they have > secured things by having an encrypted .gaimrc that anyone with half a > brain can work around. > > luke > > -- > -This email is made of 100% recycled electrons. > > > ------------------------------------------------------- > This sf.net email is sponsored by:ThinkGeek > Welcome to geek heaven. > http://thinkgeek.com/sf > _______________________________________________ > Gaim-devel mailing list > Gai...@li... > https://lists.sourceforge.net/lists/listinfo/gaim-devel -- Crypto Doesn't Kill - People Do. -- Crypto Doesn't Kill - People Do. |
