Re: plain txt passwords in .purple folder
On 09/28/2011 07:24 AM, Rob Dunn wrote: > Here's my tip - don't store your password in Pidgin, just have it prompt you > every time. But, not everyone will follow this rule (knowing users). > > As an aside, it would be nice if there was a plugin developed for pidgin that > would disallow password storage...or is there something that can be done to > facilitate an 'always prompt' action? As per that Wiki document, Pidgin defaults to not storing passwords. You have to manually check the box to cause it to happen. There is a branch on MTN which enables pidgin to use one of a couple existing keyring systems to store passwords. If this branch receives help to make it stable, then it can be merged. I would strongly encourage anyone interested to look into the state of that branch and submit patches to finish it. Kevin signature.asc Description: OpenPGP digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
RE: plain txt passwords in .purple folder
Here's my tip - don't store your password in Pidgin, just have it prompt you every time. But, not everyone will follow this rule (knowing users). As an aside, it would be nice if there was a plugin developed for pidgin that would disallow password storage...or is there something that can be done to facilitate an 'always prompt' action? ROCKFORD ORTHOPEDIC ASSOCIATES RESTRICTED This e-mail message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is prohibited. If you are not the intended recipient, please contact the sender via e-mail and destroy all copies of the original message. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: plain txt passwords in .purple folder
El día Wednesday, September 28, 2011 a las 05:15:18AM -0500, Kevin Stange escribió: > On 09/28/2011 05:02 AM, James Monroe wrote: > > Just a heads up your program stored all my passwords (for pidgin) in > > plain txt in a file in the .purple directory. > > We are, of course, aware of this. Please read: > > http://developer.pidgin.im/wiki/PlainTextPasswords > > > them for nefarious purposes. hash/md5 or something for the love of all > > things > > holy. > > If we hash your username and password, we can only submit the hashes > back to the server because hashes cannot be transformed back to original > values. This means: > > 1) If the server accepts them, the hashes are still plain-text login info > 2) You cannot login. > > What purpose would that serve? Hello Kevin, Maybe we could use GPG to crypt and store the clear text pw and the user needs a passphrase to unlock the storage, i.e. decrypt it with GPG again. Thanks matthias -- Matthias Apitz t +49-89-61308 351 - f +49-89-61308 399 - m +49-170-4527211 e - w http://www.unixarea.de/ ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: plain txt passwords in .purple folder
James Monroe wrote: Just a heads up your program stored all my passwords (for pidgin) in plain txt in a file in the .purple directory. The developers believe that anything else would give a false sense of security. http://developer.pidgin.im/wiki/PlainTextPasswords Needless to say I uninstalled and will never use again. Please fix this for the thousands of other people who don't know to check. Lines like ( user name: "actual user name") ( user password: " actual password!!") should not be appearing in professional programs unless your writing them for nefarious purposes. hash/md5 or something for the love of all things Hashing the passwords would make them unusable. Any saved password needs to be convertable to a form that is a valid credential for the target service. A one way function would make it unusable for that. Reversible encryption by an open source program would be trivial breakable, unless you insisted on a master key that had to be entered every time the program was started. -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: plain txt passwords in .purple folder
On 09/28/2011 05:02 AM, James Monroe wrote: > Just a heads up your program stored all my passwords (for pidgin) in > plain txt in a file in the .purple directory. We are, of course, aware of this. Please read: http://developer.pidgin.im/wiki/PlainTextPasswords > them for nefarious purposes. hash/md5 or something for the love of all > things > holy. If we hash your username and password, we can only submit the hashes back to the server because hashes cannot be transformed back to original values. This means: 1) If the server accepts them, the hashes are still plain-text login info 2) You cannot login. What purpose would that serve? Kevin signature.asc Description: OpenPGP digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
plain txt passwords in .purple folder
Just a heads up your program stored all my passwords (for pidgin) in plain txt in a file in the .purple directory. Needless to say I uninstalled and will never use again. Please fix this for the thousands of other people who don't know to check. Lines like ( user name: "actual user name") ( user password: " actual password!!") should not be appearing in professional programs unless your writing them for nefarious purposes. hash/md5 or something for the love of all things holy. Good Luck, -Dave ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: connectivity problem with pidgin
BBB wrote: "bigbadbabar disabled. You have been connecting and disconnecting too frequently. Wait ten minutes and try again. If you continue to try, you will need to wait even longer." Why do you believe the error message (which comes from AOL, not from Pidgin) is incorrect? -- David Woolley Emails are not formal business letters, whatever businesses may want. RFC1855 says there should be an address here, but, in a world of spam, that is no longer good advice, as archive address hiding may not work. ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support