Pidgin stores account data in plaintext!

I was just looking for some configuration files in Pidgins working directory ~/.purple/ and found this:

...
-rw------- 1 victor users  22939 Nov 23 19:34 accounts.xml
...

Well I wouldn't have payed to much attention at that file, if it had not contained this:

$ head accounts.xml 
<?xml version='1.0' encoding='UTF-8' ?>

<account version='1.0'>
        <account>
                <protocol>prpl-msn</protocol>
                <name>[email protected]</name>
                <password>**</password>
                <alias>v****</alias>
                <statuses>

...

Plaintext passwords? I couldn't believe it. So I searched on Pidgins Wiki site for some entries justifing this (in)secure measurement. And indeed I found one: http://developer.pidgin.im/wiki/PlainTextPasswords. However... Could somebody tell me what they mean by this one:

"We're 100% fine with people having false perceptions of how insecurely Pidgin handles your passwords. We are not, however, fine with sacrificing actual security for false security. We're 100% fine with people having false perceptions of how insecurely. Pidgin handles your passwords. We are not, however, fine with sacrificing actual security for false security."


Prev: NetBSD, Linux & Xen - Does it work?
Next: Attacking Trusted Platform Module (TPM)

comments powered by Disqus
Published:
2009-11-23 00:00
category:
Tag:
wtf11