36 comments

[ 5.0 ms ] story [ 93.4 ms ] thread
Does pidgin still save your password in plain text (or base64-ized) in a configuration file in your home? I haven't used them in years because of this, and we also banned it in our company to avoid mistakes.
yes, they are still using the plain text passwords

"Purple does not now and is not likely to encrypt the passwords in the accounts.xml file, nor is it likely to be encrypted in a future release. "

There is a plugin called "Windows Credentials", which according to the description uses Windows credentials instead of saving the passwords as plaintext.

I am unfortunately not exactly aware of what this means in practice, but I doubt it is worse than the default behaviour. But for Windows only, one could assume.

The file it saves your password in is only readable by you.

Pidgin needs to supply the plaintext password to the server to authenticate.

libpurple saving passwords in plain text is the correct decision. If it did encrypt them, it would also have to hold the key, so it would only add a false sense of security.

The only improvement would be a hardware-backed secret storage mechanism, but those aren't exactly ubiquitous.

It isn't. The correct decision would be to save the password in the operating system keychain, like Empathy does (or Messages on Mac, or name any others). Browsers also use keychains. On Windows, you can use the Crypto API to obtain an intermediate level of security.
>> Browsers also use keychains

Google will disagree with you: chrome://settings/passwords

I'm still required to unlock my keychain to view the passwords (on OS X).
That's not disagreement. Those passwords are stored in the keychain.
They're not the only options, passphrase encrypted local password storage is an option. That's no false sense of security.
Firefox can store passwords using a master key to unlock it, yet that master key is stored securely (via hashing).

libpurple/Pidgin could absolutely provide a more secure alternative by either using an OS keyring, or following Firefox's approach and requiring the user to type in a master password every time they start the client.

FWIW, Firefox doesn't do it by default, the option to enable it is not prominent, and when you do enable it the UX is pretty bad. IIRC usage stats is way below 1% of users.
>>$SOFTWARE_NAME saving passwords in plain text is the correct decision.

Is there any situation where this sentence would be true?

No, it isn't. It's a very very bad security mistake, and I honestly thought it was obvious to most people by now (it used to be "debatable" 6-10 years ago).

People disagreeing tend to reply with blanket sentences like "if there is a process reading the files owned by you on your computer, you're already doomed", ignoring that security is made always made by layered levels, it's not an black/white issue. A file on disk could for instance end up in an unencrypted backup that goes into a server which is then exploited; it could be in a VM where you cannot control the supervisors. It might be end up being mailed to yourself for mistake while migrating computers (I know many people who do it), and thus being stored on remote servers; you might be running on a NFS-based deployment where you don't want to necessarily trust all present and future sysadmins with your personal passwords.

What's worse is that there is an alternative, safe solution to this which is using the operating system keyring, which stores passwords fully encrypted, and also enforces per-software / per-process ACLs ("app X wants to access your password for Y, do you want to allow?"). Pidgin (and other multi-platform software) tends to be resisting to this because it requires even more OS-specific code to be added and tested.

Some protocols use OAuth, such as Twitter.
Yes it still does. It's stupid and and I don't know why they didn't fix it. :(
Pidgin is great. I have all my services hooked up to it: Aim/FB(when i had it)/Multiple Steam accounts/GTalk etc. Really great light weight chat client. Just wish there was a way to get Skype contacts on it.
There actually is a way, you can use Skype4Pidgin. However this requires you to have skype running, but you are able to chat with your skype contacts through Pidgin. I do have to note that I've used this with Finch (also uses the purple library) and I've had one incident that I was talking to one person and one of my messages was mysteriously sent to a group chat instead of that one person. I've only had that happen to me once and I've not had that with Pidgin.

Here's the link: http://code.google.com/p/skype4pidgin/

Whatever happened to Steve Ballmer screaming about developers?

Unfortunately it seems like over the years, companies have been providing fewer and fewer hooks into their products and services for developers to take advantage of.

Not that it ever worked properly. For me it was randomly dropping messages.
will this work on adium?
Yea, those of us on OS X need something like this
it works, but someone has to compile a plugin for it..
This is awesome! Must have taken a fair bit of hacking to get working, given WhatsApp's policies.

Does anyone know if there are mobile apps based on Pidgin? Pidgin/Purple solved the multi-chat-client problem so well for the desktop, I'd love it to do the same on mobile.

It would be nice if Whatsapp, which is so popular, would help make its users a lot more secure by adopting end-to-end encryption, perhaps like what TextSecure v2 is using.

Getting people to use services with proper encryption is going to be a very slow process unless we convince/pressure the big ones to do it.

But you can't make any money with encrypted data.
So like Telegram, which is basically the same app but nobody uses it? (http://telegram.org/)
Wow, this sounds awesome. I hope it becomes popular :)
"Very secure. We are based on a new protocol, MTProto, built by our own specialists from scratch, with security in mind."

I do not think that is such a great idea. I still vote Threema: https://threema.ch/