Context Navigation

Changes between Version 11 and Version 12 of PlainTextPasswords

Timestamp:: Sep 28, 2008, 6:09:19 PM (15 years ago)
Author:: petr.bug
Comment:: results from IRC chat with elb, Err and me around 16:55 UTC

Legend:

: Unmodified
: Added
: Removed
: Modified

PlainTextPasswords

-                      v11
+                      v12
 If someone were to do this in a way that worked well, securely, and seamlessly to the user, without interfering with people who prefer to trust their file system's security, we'd gladly accept it.
 == Summer of Code ==
+== Desktop keyring ==
+There is currently a SoC [http://developer.pidgin.im/wiki/GSoC2008/MasterPassword project] going on about this topic.
+There is currently a Google Summer of Code [http://developer.pidgin.im/wiki/GSoC2008/MasterPassword project] going on about this topic.
+== DIGEST-MD5 in Jabber/XMPP ==
+[http://www.xmpp.org/rfcs/rfc3920.html#security-mandatory RFC 3920] requires that Jabber/XMPP servers implement SASL DIGEST‑MD5 authentication method. This allows clients (and servers) to not store the password in plain-text but instead store cryptographic hash (MD5) of user name, domain and password. If the password is strong this makes nearly impossible for an attacker to recover the password.
+Following downsides remain:
+- If accounts.xml is revealed, the attacker is still able to login to the Jabber account (but not to, say, email account, even if they had the same password)
+- User may by fooled in to believing accounts.xml does not contain sensitive information and give the file out. (If the password is weak it can be recovered from the hash)
+- When server stops supporting DIGEST‑MD5 authentication (but still provide other password-based), Pidgin will have to ask for password.
+Currently (as of 2008) Pidgin does not store the hash. elb: "I would accept a good patch to implement that"