Thread: IM, Email Passwords Are Stored as Plain Text
View Single Post
zwer's Avatar
zwer is offline zwer
2010-01-18 , 14:37
Posts: 455 | Thanked: 782 times | Joined on Nov 2009 @ Netherlands
#99
Originally Posted by SubCore View Post
i created the skype account only 2 days ago (with PR 1.1), the MSN account is older, created with PR1.0.
the MSN password is stored in plaintext in accounts.cfg, but skype's password is NOT stored there at all.

i'm gonna recreate the MSN account in the evening when i get home, maybe someone else can try sooner
I deleted skype and one of my gtalk accounts, then re-added them, and they are correctly and openly written @ ~/.rtcom-accounts/accounts.cfg

I see no change in that behavior between PR1.0 and PR1.1. Haven't tried backing it up, tho, but I guess the result would be the same.

Originally Posted by slender View Post
I know where to find it and i have no idea how to encrypt that kind of encyption. You probably have too high expections about fellow citzens or I´m just below you standard of average man. Prepare for dissapointmens with people and living in a world where all the other people seem to be a bit stupid Hey I just described world view of normal Linux "guru" :P
It has nothing to do with high expectations, I'm perfectly aware that an average Joe barely knows what a computer is, let alone how and where it stores files. However, as many people have noted, providing a base64 encoding or something equally trivial would not give anyone anymore security - what's the difference if the file containing passwords instead of `password` have `cGFzc3dvcmQ=`? It's the same f. thing!

If you know where to find the file, you've probably found out that on one of the following ways:
1) You are a tech-savy and you know where some application stores its files. In that case, you already know how it stores it, and how to decode possibly encoded passwords.
2) You found it on the internet (for example on this thread). If the files were encoded using base64 (or something as trivial as b64) instead of plain text, this thread would already have a step-by-step instructions on how to deobfuscate those passwords, so you'd still get the passwords with one additional step.
3) You were browsing through someone's device long enough and checking each file and suddenly you came across a file that stored accounts data. If passwords were plain text, you'd know them immediately, if they weren't, chances are that with simple google search for that file you'll find a thread/blog/whatever that explains how to extract the passwords.

In all three possible cases, passwords are not any more safe stored with a trivial, reversible encoding, than in a plain text. But knowing that your passwords are not safely stored is actually better thing than having a false sense of security - this way you won't be giving your device to anyone that easily and you'll know the risks involved.

Originally Posted by joelus View Post
I don't think it's invalid at all. I would at least like the option of being asked for my password every time I log into a service rather than having it stored in plain text.
I mean once I'm logged in, I won't need to type it again until I disconnect or log out?
That is a perfectly good solution for paranoids. And that should be set as an enhancement requirement. The whole argument here is that stored passwords in trivial encoding are not any more safe than those in plain text. If someone wants real encryption, that's a perfectly valid request, but they should be prepared to give up on the convenience of password-less auto login.

Originally Posted by Aranel View Post
Mostly, they just google it, find some command (like "cat /home/user/.westorepasswordshere" ) and will try to get your pw that way, which is really easy, even your mom can do it.
And how would that be any different than, as Jaffa already noted, having a slightly different copy/paste command if the file was base64 encoded:

Code:
perl -MMIME::Base64 -pe '$_ = decode_base64($_)' .rt-accounts/accounts.cfg
Last edited by zwer; 2010-01-18 at 14:42.
 

The Following 2 Users Say Thank You to zwer For This Useful Post: