On Fri, Jul 25, 2008 at 03:52:17AM +0200, v4hn wrote:
> On Fri, Jul 25, 2008 at 12:51:38AM +0200, transacid wrote:
> > 2008/7/24 Tiger!P <[EMAIL PROTECTED]>:
[cut]
> > > I would suggest that we could create a config option that will let the
> > > user choose if he wants to have the passwords encrypted.
> > > Because the passwords are still not compeletely save, because of the
> > > open source.
>
> That's really crap. _Who_'d like to deactivate internal encryption
> of stored data, if there's an option for that? I can't think of anyone.
I know I will, because I lookup the passwords in the config file when I
need them outside of centerIM. I don't remember these passwords, because
the are stored in centerim and I'm always connected, so I don't have to
remember them.
> > > We could of course use a simple symmetric encryption for the passwords,
> > > for which the user has to enter the key just after centerIM is started.
>
> That would be worth an option maybe... ("Do you like to protect your messenger
> passwords by a master password you need to enter whenever starting centerim?")
Something like that, but I think it would be better to use less words.
> > nonononononono, sorry but that's really crap! I mean there is _no way_
> > to encrypt saved passwords if the protocol won't support it.
> > Otherwise it's only security by obscurity.
The password won't be safe for people who log the traffic, but at least
it is not easy to get to the password when it is not stored in plain
text in the config file.
> Well, depends on whether you look at it from theory or practice:
>
> _theoretically it doesn't make a difference whether or not you're storing
> the passwords in plaintext or a XOR/ROT-version of it, because if someone
> got the file containing the non-/encrypted passwords he is able to get the
> passwords from that file.
>
> _practically it _does_ matter, because one can't just open an editor and
> read a string(maybe even easy to remember) if the program uses XOR/ROT-128.
> And there are i.e. some conditions when you leave your computer for 30
> seconds
> or so, and you forgot to enable your screensaver. Anyone in the room is able
> to open an editor in 30 seconds, but it's quite a challenge to insert an
> usb-device + copy some config + get away unseen in this time. At least imho.
As I said before, it will take more effort (and time) to get to the
passwords, which increases the security.
> > If you wanna be on the more secure side,
> > give in your password whenever you log in.
>
> So you'd need to insert all passwords for all protocols
> whenever you start centerim, instead of a master password,
> which is used to decode the stored ones.
And this can be very irritating when you have to enter 6 passwords
everytime you start centerIM.
> I suppose the idea of an optional master password encryption
> is worth an implementation..
Now who would like to implement that?
Tiger!P
--
A random quote:
Niet haasten is beter dan haasten en er achterkomen dat je iets
vergeten bent.
--
_______________________________________________
Centerim-devel mailing list
[email protected]
http://centerim.org/mailman/listinfo/centerim-devel
http://www.centerim.org/
