pidgin-devel

[Fwd: Re: plain text passwords [wasRe: [Gaim-devel] libyahoo2 integration?]]

[Morgan C. [Ax0n] <sir...@mo...>]

I think that if you encrypted the password, it would be wise to require
the user to enter their previous password before changing their password
anyways.

> On Fri, Jul 26, 2002 at 02:29:12PM -0400,
> lsc...@re... wrote:
>> On Fri, Jul 26, 2002 at 02:19:59PM -0400, Robert Story wrote:
>> > On Thu, 25 Jul 2002 15:11:59 -0400 Luke Schierer
>> > <lsc...@re...> wrote:
>> > LS> I agree with Sean, its a horrible idea.
>> >
>> > I disagree. Storing plain text passwords are a terrible idea.
>> >
>> > LS> if someone can see your .gaimrc file, encrypting it won't help.
>> LS> they'll just copy it and use gaim itself,
>> >
>> > The ability to see a file does not imply the ability to copy it.
>>
>> if you can see it, you can read it. if you can read it, now can you
>> NOT be able to copy it.
>
> ugh. i can't type it seems, "how" not "now".
>
>>
>
> <snip>
>
>>
>> i repeat, it is no greater security. the only way it would be greater
>> security is  if the passwords were not decrypted by gaim.  its not
>> even a valid lock. its like  saying you've locked something by using
>> rot13. you've made it harder for someone to accidentally see your
>> passwd yes, but no ones going to be accidentally seeing a .file  in
>> your home directory.  anyone who has the know-how to get to your
>> .gaimrc file would be able to get to the password.
>> luke
>
> and even then, it would still be a mostly false sense of security
> because gaim would still  give you access to the change password
> option for the various protocols. so the attacker  would still have
> access to your account itself, and your buddy lists by simply copying
> the .gaimrc file complete with encrypted passwords to a computer or
> account from which he or she can run gaim.  keeping the passwords in
> plain text forces people who are security concious, and  thus are the
> people noticing that gaim has plain text passwords, to evaluate
> whether or not they want to be storing passwords (it IS an option) on
> a given computer PERIOD.
>
> and THAT is a greater security than allowing people to think they have
> secured things by having an encrypted .gaimrc that anyone with half a
> brain can work around.
>
> luke
>
> --
> -This email is made of 100% recycled electrons.
>
>
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Gaim-devel mailing list
> Gai...@li...
> https://lists.sourceforge.net/lists/listinfo/gaim-devel


-- 
Crypto Doesn't Kill - People Do.


-- 
Crypto Doesn't Kill - People Do.

Re: [Fwd: Re: plain text passwords [wasRe: [Gaim-devel] libyahoo2 integration?]]

[Christian H. <ch...@gn...>]

On Fri, Jul 26, 2002 at 05:27:27PM -0700, Morgan Collins [Ax0n] wrote:
> 
> I think that if you encrypted the password, it would be wise to require
> the user to enter their previous password before changing their password
> anyways.

Except that gaim would have to be able to decrypt them before logging
in. This would require that an encryption scheme be used that provides
for decrypting. However, this is no different than, say, reversing the
characters in the password. Anybody could just get to it anyway, by
simply decrypting it.

Now you could encrypt the entire .gaimrc file and ask for a password
on startup, but guess what? You would then need to store THAT password
somewhere, and suddenly you run into the exact same problem.

Bottom line: There is no method that will provide the (false) security
that people are looking for. The most secure thing you can do is to
chmod 600 ~/.gaimrc, and last I checked, that happens automatically.

Christian
 
-- 
Christian Hammond         <>  The GNUpdate Project
ch...@gn...      <>  http://www.gnupdate.org/
   Some people have a way with words, while others.. erm... thingy.

Re: [Fwd: Re: plain text passwords [wasRe: [Gaim-devel] libyahoo2 integration?]]

[Luke S. <lsc...@re...>]

On Fri, Jul 26, 2002 at 05:39:46PM -0700, Christian Hammond wrote:
> On Fri, Jul 26, 2002 at 05:27:27PM -0700, Morgan Collins [Ax0n] wrote:
> > 
> > I think that if you encrypted the password, it would be wise to require
> > the user to enter their previous password before changing their password
> > anyways.
> 
> Except that gaim would have to be able to decrypt them before logging
> in. This would require that an encryption scheme be used that provides
> for decrypting. However, this is no different than, say, reversing the
> characters in the password. Anybody could just get to it anyway, by
> simply decrypting it.
> 
> Now you could encrypt the entire .gaimrc file and ask for a password
> on startup, but guess what? You would then need to store THAT password
> somewhere, and suddenly you run into the exact same problem.
> 
> Bottom line: There is no method that will provide the (false) security
> that people are looking for. The most secure thing you can do is to
> chmod 600 ~/.gaimrc, and last I checked, that happens automatically.

actually, that's second most secure Christian ;-). Most secure would be 
taking the DEFAULT (emphasis added for other listeners) option NOT to 
save the password.
luke


> 
> Christian
>  
> -- 
> Christian Hammond         <>  The GNUpdate Project
> ch...@gn...      <>  http://www.gnupdate.org/
>    Some people have a way with words, while others.. erm... thingy.
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> Gaim-devel mailing list
> Gai...@li...
> https://lists.sourceforge.net/lists/listinfo/gaim-devel

-- 
-This email is made of 100% recycled electrons.
-If something can go wrong.... FIX IT!
 If it's Microsoft...delete it.
-There are three ways to get something done:
   (1) Do it yourself.
   (2) Hire someone to do it for you.
   (3) Forbid your kids to do it.

Re: [Fwd: Re: plain text passwords [wasRe: [Gaim-devel] libyahoo2 integration?]]

[Christian H. <ch...@gn...>]

On Fri, Jul 26, 2002 at 08:52:04PM -0400, Luke Schierer wrote:
> actually, that's second most secure Christian ;-). Most secure would be 
> taking the DEFAULT (emphasis added for other listeners) option NOT to 
> save the password.
> luke

Yes, good point.
 
-- 
Christian Hammond         <>  The GNUpdate Project
ch...@gn...      <>  http://www.gnupdate.org/
   Cleaning your house while your kids are still growing is like shoveling
   the walk before it stops snowing.
                   -- Phyllis Diller