Last afternoon I spent some time in the Lfcia talking to Miriam, and she told me about Gaim storing passwords in plain text. I had no idea of this before she told me, and that’s why, as soon as I was warned about, I took a look into my ~/.gaim directory and I realized how my password was really stored in the accounts.xml text file.
The reason for my password to be there was that I’d checked the typical “Remember my password” checkbox when adding my IM accounts to gaim, with the only purpose of not being annoyed each time I login into my accounts. Somebody could say at this point that the only real security would be not storing passwords at all (and this is true, of course), but I think that if a program asks you for doing something like that, you should be able to trust it about how your password is going to be saved at disk (hopefully, in a secure way).
After thinking for a while, I googled a bit looking for information about this and to see if there’s a plugin, a patch or something similar to fix this situation… and here is the final result of my search:
In this URL, gaim developers tell that gaim does not now and is not likely to encrypt the passwords in the
accounts.xml file, nor is it likely to be encrypted in a future release. “Hard declarations!”, I thought ;)… but, after all, I think their arguments are not so bad, except that they are not taking into account a common situation when using gaim that makes unsafe storing passwords in the accounts.xml file (even when that file is only readable by its owner): what about using gaim on a computer whose superuser is not you? That superuser could read your accounts.xml file even when nobody but you couldn’t, and that’s not seem to be “pretty good privacy” :).
I know that gaim developers would say that I shouldn’t use this feature in such those environments, but this means assuming gaim users know what’s really happening when saving passwords, and this is not always true (just look at me :P). At least, I think showing an informative message warning the user about how his/her password is going to be stored could be a good thing in order to avoid this kind of surprises.
What do you think about?
thanks for the gaim info; good to know. storing passwords in plaintext is lame, period. shame on those lazy developers!
But then, just about the only way to encrypt the password is to use yet another password (like the master passwords in Firefox, or any type of “keychain” product (I believe in Mac OS X, it’s the same password as your password)). If it’s some kind of built-in encryption (requiring no user input), it’s even worse than storing the password plain-text—the user, not seeing his password in plaintext, assumes that it’s stored securely. However, a determined cracker can still get to the password, since if it requires no user input, the security must rely on the secrecy of the algorithm (not much of a security, especially in a program whose source is available publicly).
I’m sorry, but I don’t agree with you. I think there were several ways to avoid this kind of surprises without using plain text files. For instance:
– Letting the user to use its GnuPG key (if available) to encrypt the file, so only such the user could open that file. This could be a bit annoying since you always would have to enter your GPG passphrase when opening Gaim, but at least you only would have to enter a password once per session…. and could be useful if you (like me) use several IM accounts.
– Letting the user to define and use a new, ad-hoc, “master password” (as is used in mozilla) to encrypt such that file. And if you don’t want to be disturbed every time you open gaim, that password could be stored in a safe place out of gaim like, for instance, in the gnome-keyring-manager.
– Using a “random” password which requires no user input that would be generated only once (first time you create an account and check ‘remember my password’ option, for instance). To avoid annoying the user, gnome-keyring-manager could also store that “random” key to be used in the future.
And of course, as I said before in my post, “at least, I think showing an informative message warning the user about how his/her password is going to be stored could be a good thing in order to avoid this kind of surprises”.