Storing passwords in Pidgin IM
I recently learned that account passwords stored in Pidgin are located in the xml file and are not encrypted.
In Windows XP, the path to this file will be as follows: C: \ Documents and Settings \ [UserName] \ Application Data \ .purple \ accounts.xml
In Ubuntu - /home/[UserName_/.purple/accounts.xml
')
What it looks like:
In my opinion it is:
1) it is not safe for users of FAT32 / Win95 / 98 (are there any such? :-)), because FAT32 does not implement almost any restriction on access to files. This way, anyone who can access the computer can also access the saved passwords.
2) It is less dangerous in NTFS / WinXP / Vista - for example, I have the following rights on this file by default: full access for Administrators, me and System. That is, anyone who can access the computer with administrator privileges will be able to access the saved passwords. Given that I always work under the administrator, and taking into account the number of vulnerabilities in Windows, for me it is probably just as unsafe as in the first paragraph.
3) The least dangerous thing is in Linux, because this file is located in the home folder, access to which is allowed, by default, only to the owner of this folder.
How do you think how serious is the fact that passwords are not encrypted and anyone can read them? Should I change the IM client (although I do not think that the situation is radically different in other clients)? Or just do not save passwords? True, the latter is somewhat inconvenient.
Yes, and, of course, I did not discover America, all this has long been known. Pidgin’s developer opinion is that open passwords are no more dangerous than any other saved passwords. And while they are not going to implement any password encryption in Pidgin.
In Windows XP, the path to this file will be as follows: C: \ Documents and Settings \ [UserName] \ Application Data \ .purple \ accounts.xml
In Ubuntu - /home/[UserName_/.purple/accounts.xml
')
What it looks like:
In my opinion it is:
1) it is not safe for users of FAT32 / Win95 / 98 (are there any such? :-)), because FAT32 does not implement almost any restriction on access to files. This way, anyone who can access the computer can also access the saved passwords.
2) It is less dangerous in NTFS / WinXP / Vista - for example, I have the following rights on this file by default: full access for Administrators, me and System. That is, anyone who can access the computer with administrator privileges will be able to access the saved passwords. Given that I always work under the administrator, and taking into account the number of vulnerabilities in Windows, for me it is probably just as unsafe as in the first paragraph.
3) The least dangerous thing is in Linux, because this file is located in the home folder, access to which is allowed, by default, only to the owner of this folder.
How do you think how serious is the fact that passwords are not encrypted and anyone can read them? Should I change the IM client (although I do not think that the situation is radically different in other clients)? Or just do not save passwords? True, the latter is somewhat inconvenient.
Yes, and, of course, I did not discover America, all this has long been known. Pidgin’s developer opinion is that open passwords are no more dangerous than any other saved passwords. And while they are not going to implement any password encryption in Pidgin.
Source: https://habr.com/ru/post/67385/
All Articles