You are not logged in.

#1 2007-03-08 19:20:58

Galdona
Member
Registered: 2006-03-15
Posts: 196

gaim with encrypted passwords

I'd always assumed that gaim stored passwords with encryption, so I was quite surprised to find that my passwords were in plain text in .gaim/accounts.xml.

Their explanation for this ( http://gaim.sourceforge.net/plaintextpasswords.php ) doesn't sound too... sound, either. They didn't really address all legit concerns, such as a person physically going to your computer and looking at your accounts.xml while you're taking a leak (just an example tongue )

Anyway, I found this patch for gaim:
http://dooglus.rincevent.net/gaim/

I hope others are also interested! smile

Offline

#2 2007-03-08 20:49:49

Snowman
Developer/Forum Fellow
From: Montreal, Canada
Registered: 2004-08-20
Posts: 5,212

Re: gaim with encrypted passwords

You could file a feature request on the bug tracker. Maybe gaim's maintainer would be willing to use that patch for the official package.

Offline

#3 2007-03-08 20:53:24

skymt
Member
Registered: 2006-11-27
Posts: 443

Re: gaim with encrypted passwords

If your computer is in a public area, you should be using a screen locker (Gnome or KDE screensaver, slock, xscreensaver, xlock) when you get up. Whether your IM passwords are encrypted is the least of your worries.

Offline

#4 2007-03-09 11:09:34

Galdona
Member
Registered: 2006-03-15
Posts: 196

Re: gaim with encrypted passwords

You're being somewhat ... irrelevant, skymt. I'm only concerned about gaim passwords in this thread. It's still a legitimtate concern even if it's "the least of my worries".

Offline

#5 2007-03-09 18:38:08

skymt
Member
Registered: 2006-11-27
Posts: 443

Re: gaim with encrypted passwords

Galdona wrote:

You're being somewhat ... irrelevant, skymt. I'm only concerned about gaim passwords in this thread. It's still a legitimtate concern even if it's "the least of my worries".

It's not at all irrelevant. Most applications store passwords in plain text. Just set the permissions so only you can read the password files (the default), and lock your computer when you leave.

If someone breaks in remotely, the best encryption could do is obfuscate the passwords slightly. If Gaim just scrambles the password the same way every time, the attacker can read the source code to see how to reverse the process. If Gaim uses key-based (asymmetric) encryption, the attacker could just grab the key. Password-based (symmetric) wouldn't be any easier to use than just entering your IM password every time. Encryption can not solve this problem. It's the wrong tool for the job.

It's the same problem DRM systems have. You need to have the content and the key to unlock it in the same place for it to work. That means that if an attacker can get one, he can get the other.

Last edited by skymt (2007-03-09 22:28:00)

Offline

#6 2007-03-09 22:11:07

iBertus
Member
From: Greenville, NC
Registered: 2004-11-04
Posts: 2,228

Re: gaim with encrypted passwords

@skymt: The issue with your argument is one of time. You have to assume that getting your password is more important to the hacker than his/her own time. Most likely this defense is targeted at someone like a roomate or hall mate in a college dorm. These people lack the skills/motivation to do any serious hacking but may grab your password as a practical joke if the password is stored in plain-text format. A simple scheme like this is not intended to stop the CIA from getting your password.

The same is true for the DRM argument. DRM is not intended to stop the most elite hackers from copying music/movies. It's primary purpose is to stop great uncle John from giving grandfather Bob a copy of that History Channel DVD series. For that purpose it is quite effective.

Offline

#7 2007-03-09 22:44:11

skymt
Member
Registered: 2006-11-27
Posts: 443

Re: gaim with encrypted passwords

That's a good point, iBertus. However, it seems like the people who would be deterred by encryption would be also be deterred by the much simpler security measure of a screen locker. Locking your screen is also effective in preventing other computer pranks (taking a screenshot and using it as the desktop background, inserting joke auto-correct entries for common words in the word processor, etc).

It's basically a solution looking for a problem. I can't think of a case where the benefit of an encrypted password file outweighs the extra work, code, and bugs required to add it.

However, if you're dead set on the idea, the patch Galdona linked to looks like a pretty good solution. I wouldn't use it personally, as I try to avoid third-party patches.

Offline

#8 2007-03-27 11:09:46

stb
Member
Registered: 2007-03-13
Posts: 40

Re: gaim with encrypted passwords

OT: That reminds me of a task at work. A server which does data conversion had stored some plain text passwords in its configuration file (for non-interactive connection). Multiple persons had access to it. One day, some business man thought about making it "more secure" so that only a subset of the allowed persons can actually know the passwords. They wanted an encryption scheme to be implemented. I told 'em that it does not add any security but curiously they weren't able to hear me.

Offline

Board footer

Powered by FluxBB