Changes between Version 6 and Version 7 of PlainTextPasswords

Timestamp:

Jun 26, 2007, 5:46:40 PM (17 years ago)

Author:

John Bailey

Comment:

A few tweaks. The long list drives the point home better than a long paragraph.

PlainTextPasswords

@@ -1 +1 @@
 = Plain Text Passwords =
 
-Purple does not now and is not likely to encrypt the passwords in the 
-{{{accounts.xml}}} file, nor is it likely to be encrypted in a 
-future release. This is somewhat controversial in Windows, especially Windows 
-98 due to its weak file protections, but that's the way things are.
+Purple does not now and is not likely to encrypt the passwords in the {{{accounts.xml}}} file, nor is it likely to be encrypted in a future release. This is somewhat controversial in Windows, especially Windows 98 due to its weak file protections, but that's the way things are.
 
 The reasoning for this is multi-part.
 
-Instant messaging is not very secure, and it's kind of pointless to 
-spend a lot of time adding protections onto the fairly strong file 
-protections of UNIX (our native platform) when the protocols themselves 
-aren't all that secure.  The way to truly know who you are talking to is 
-to use an encryption plugin on both ends (such as OTR or 
-gaim-encryption), and use verified GPG keys.  Secondly, you shouldn't be 
-using your instant messaging password for anything else.  While 
-some protocols have decent password security, others are insufficient 
-and some (like IRC) don't have any at all.
+Instant messaging is not very secure, and it's kind of pointless to spend a lot of time adding protections onto the fairly strong file protections of UNIX (our native platform) when the protocols themselves aren't all that secure.  The way to truly know who you are talking to is to use an encryption plugin on both ends (such as OTR or gaim-encryption), and use verified GPG keys.  Secondly, you shouldn't be using your instant messaging password for anything else.  While some protocols have decent password security, others are insufficient and some (like IRC) don't have any at all.
 
 There are basically four approaches to password storage.[[BR]]
 
- * '''Store a password(s) behind a password.''' Basically this means that we require you to type in some passphrase as Purple starts in order to read the {{{accounts.xml}}} file, and, to be truly secure, require you to type it again if you write to it. Winicq does something very similar to this if you set it to its highest security settings.
- * '''Obscure a password.''' This means we do something to store the password in some format other than plain text, but we automatically convert it for you.  This is security by obscurity, and is a Very Bad Thing^TM^ in that it gives users a false sense of security.  A false sense that we (Purple developers) believe would be worse to have than to let informed users deal with the password issue themselves.  Consider that a naive user might think that it is safe to share his or her accounts.xml, because the passwords are "encrypted".[[BR]]
- * '''Store the password in plain text and control access to the file.''' This is what Purple does: the password is in {{{accounts.xml}}} in plain text, but the file itself is only readable by its owner.  We allow the user to determine under what conditions sensitive files should be opened (if at all), and what constitutes a breach of security.
+ * '''Store a password(s) behind a password.''' Basically this means that we require you to type in some passphrase as Pidgin or Finch starts in order to read the {{{accounts.xml}}} file, and, to be truly secure, require you to type it again if you write to it. Windows ICQ does something very similar to this if you set it to its highest security settings.
+ * '''Obscure a password.''' This means we do something to store the password in some format other than plain text, but we automatically convert it for you.  This is security by obscurity, and is a Very Bad Thing^TM^ in that it gives users a false sense of security that we (Pidgin, Finch, and libpurple developers) believe would be worse to have than to let informed users deal with the password issue themselves.  Consider that a naive user might think that it is safe to share his or her accounts.xml, because the passwords are "encrypted".
+ * '''Store the password in plain text and control access to the file.''' This is what libpurple (and therefore Pidgin and Finch) does: the password is in {{{accounts.xml}}} in plain text, but the file itself is only readable by its owner.  We allow the user to determine under what conditions sensitive files should be opened (if at all), and what constitutes a breach of security.
  * '''Lastly, you can not store passwords at all.''' This is Purple's default, and by far the most secure of all of the options.
 
-If you really wanted to, you could write a script to wrap Purple that 
-would decrypt {{{accounts.xml}}} and re-encrypt it when Purple exits.
-You wouldn't be able to encrypt it while Purple is running,  because Purple 
-writes to {{{accounts.xml}}} for things like info change.  This would 
-minimize your exposure time unless (like me) you run Purple nearly 24/7. 
-Personally, I feel that on any decent operating system, if someone can get to 
-your files you should either be able to trust the person to not touch 
-them, or you shouldn't be storing sensitive information there at all.
+If you really wanted to, you could write a script to wrap Pidgin or Finch that would decrypt {{{accounts.xml}}} and re-encrypt it when the application exits. You wouldn't be able to encrypt it while they are running,  because libpurple clients write to {{{accounts.xml}}} for things like info change.  This would minimize your exposure time unless (like me) you run Pidgin nearly 24/7. Personally, I feel that on any decent operating system, if someone can get to your files you should either be able to trust the person to not touch them, or you shouldn't be storing sensitive information there at all.
 
 == "But other programs don't store my password in plain text!" ==
@@ -38 +20 @@
 That's true. But few of them store it in a way that's any safer. A Google search for [http://www.google.com/search?q=im+passwords "im passwords"] shows a bunch of hits for getting the passwords out of other IM clients just as easily as Pidgin.
 
-The very first link is a clear indication that none of:
-
-ICQ and ICQLite, AOL Instant Messenger and AIM Triton, AIM Pro, Yahoo! Messenger, Excite Messenger, MSN Messenger, Windows Live Messenger, Microsoft Office Communicator 2005, Google Talk, Odigo, Trillian, AT&T IM Anywhere, T-Online Messenger, Match Messenger, Praize IM, ScreenFIRE, ACD Express Comunicator, Imici Messenger, Prodigy IM, PowWow Messenger, Jabber IM, Kellster IM, PalTalk, Indiatimes messenger, Miranda, Tiscali, Ya.com Messenger, Rediff Bol, Sify Buzz, Devil, Tencent QQ, QQ (Africa Version), &RQ, Ipswitch Instant Messenger, Eighth Wonder Catax, Simple Instant Messenger, Vista IM, GAIM, Global-IM, Psi Jabber client, Messenger2, Picasa Hello, iWon, Blowsearch, MessageMate, Meca Messenger, Qnext, Bubbler (Five Across), InterComm IM (Five Across), Easy Message, QIP, Gizmo, MySpace IM, Exodus, Gadu-Gadu, Mail.Ru Agent, ScatterChat, Just Another Jabber Client, Maple Messenger, Pandion, IMVITE Messenger, Oyco Messenger.
-
-provide any sort of real password security.
+The very first link is a clear indication that '''''__none__''''' of these IM applications provide any sort of real password security:
+ * ICQ and ICQLite
+ * AOL Instant Messenger and AIM Triton
+ * AIM Pro
+ * Yahoo! Messenger
+ * Excite Messenger
+ * MSN Messenger and Windows Live Messenger
+ * Microsoft Office Communicator 2005
+ * Google Talk
+ * Odigo
+ * Trillian
+ * AT&T IM Anywhere
+ * T-Online Messenger
+ * Match Messenger
+ * Praize IM
+ * ScreenFIRE
+ * ACD Express Comunicator
+ * Imici Messenger
+ * Prodigy IM
+ * !PowWow Messenger
+ * Jabber IM
+ * Kellster IM
+ * !PalTalk
+ * Indiatimes Messenger
+ * Miranda
+ * Tiscali
+ * Ya.com Messenger
+ * Rediff Bol
+ * Sify Buzz
+ * Devil
+ * Tencent QQ and QQ (Africa Version)
+ * &RQ
+ * Ipswitch Instant Messenger
+ * Eighth Wonder Catax
+ * Simple Instant Messenger
+ * Vista IM
+ * GAIM
+ * Global-IM
+ * Psi Jabber client
+ * Messenger2
+ * Picasa Hello
+ * iWon
+ * Blowsearch
+ * !MessageMate
+ * Meca Messenger
+ * Qnext
+ * Bubbler (Five Across)
+ * !InterComm IM (Five Across)
+ * Easy Message
+ * QIP
+ * Gizmo
+ * !MySpace IM
+ * Exodus
+ * Gadu-Gadu
+ * Mail.Ru Agent
+ * !ScatterChat
+ * Just Another Jabber Client
+ * Maple Messenger
+ * Pandion
+ * IMVITE Messenger
+ * Oyco Messenger.
 
 == "But surely something is better than nothing, right?" ==
@@ -54 +92 @@
 When people propose inefficient security, it's because they prefer a false sense of security to a false sense of insecurity. File systems, in general, do a very good job of keeping your information private. For most people, there is no insecurity inherent in plain-text passwords. There's only the perception that, because they can read their passwords with ease, that perhaps others can too. Obfuscated passwords are no more secure than plain text; they can be read, about just as easily with the aid of certain programs. It provides a false perception of security.
 
-We're 100% fine with people having false perceptions of how insecurely Pidgin handles your passwords. We are not ok with sacrificing actual security for false security.
+We're 100% fine with people having false perceptions of how insecurely Pidgin handles your passwords. We are not, however, fine with sacrificing actual security for false security.
 
 == "Is that the final word?" ==