Thread: IM, Email Passwords Are Stored as Plain Text
View Single Post
Jaffa's Avatar
Jaffa is offline Jaffa
2010-01-20 , 13:17
Posts: 2,535 | Thanked: 6,681 times | Joined on Mar 2008 @ UK
#134
Originally Posted by ndi View Post
And no, an one-liner is not enough security. There has to be something that is not one-liner in the terminal. A modified ROT13 would be just fine, thanks. ROT15? Don't know. But there is no ROT15 implemented in any language, you need to write one and that takes a minute on the N900 kbd.
Well, let's assume a 15-place rotation cypher; how about the following (proof-of-concept, only deals with capitals):

Encode ("ROT15"):
Code:
tr 'A-Z' 'P-ZA-O' .rtcom-accounts/accounts.cfg
Decode ("ROT-15"):
Code:
tr 'P-ZA-O' 'A-Z' .rtcom-accounts/accounts.cfg
I have the time to see him typing furiously in the terminal and look over the shoulder.
But you won't notice him Googling "maemo 5 im password decrypt" and copy & pasting the result? Or are you expecting whomever you lend your device to have memorised the file:// URL?

Do you trust them not to ring up a premium rate sex line; which they could also do and cost you actual physical money.

Also, it's not immediately obvious that it's a ROT15 and not ROT16 or similar, making the scanning source harder to write.
The point is that "no-one" knew the name of the file until it was posted here and on the bug report. Why do you think ROTx security-by-obscurity is any better than putting-the-file-somewhere-obscure security-by-obscurity?
__________________
Andrew Flegg -- mailto:andrew@bleb.org | http://www.bleb.org
 

The Following 3 Users Say Thank You to Jaffa For This Useful Post: