In the last days, I was working in Beholder and faced the need to store SSH and Telnet passwords. I don’t even hesitated, one name came to my mind: Gnome Keyring. It’s easy, it’s secure and have Python binding, what was missing?! Know how to use it. Before we start bending, I’d like to discuss a little about how some applications store your passwords.
It’s common to find applications that stores passwords “incorrectly” and “insecurely”. It’s easy to find IM (Internet Messengers), e-mail and other clients that stores the user’s password in a hidden config file in the user’s home. Isn’t hard to find out that the passwords are in plain text. Some times this password config file receives a “little protection”, it’s applied a password to the password. This means that the password is obfuscated with a reversible algorithm by a “master password”. This isn’t correct! It gives us the felling of false security, they seem to be encrypted but aren’t! With a little brutal force is possible to unveil the user’s passwords.
A perfect example is Pidgin. The famous IM client stores your password at /home//.purple/accounts.xml. Don’t believe me?! Look here. Still don’t believe yeah? The pidgin development team spoke about it here. Let me quote the first paragraph:
Purple does not now and is not likely to encrypt the passwords in the accounts.xml file, nor is it likely to be encrypted in a future release. This is somewhat controversial in Windows, especially Windows 98 due to its weak file protections, but that’s the way things are.
So, because of a fault in Windows, all other users are affected. In my point of view, solve this problem is very simple: Protect the users when possible, if Windows don’t provide any means, keep it insecure. But the Pidgin Development Team made four suggestions:
Continue reading in my blog…