Feature Requests item #1035240, was opened at 2004-09-26 22:14
Message generated for change (Comment added) made by lschiere
You can respond by visiting: 

Please note that this message will contain a full copy of the comment thread,
including the initial issue submission, for this request,
not just the latest update.
Category: core
Group: None
>Status: Closed
Resolution: None
Priority: 5
Private: No
Submitted By: Aaron W (luna-tick)
Assigned to: Nobody/Anonymous (nobody)
Summary: Password manager for IM logins

Initial Comment:
Any possibility of providing an implementation of, or
option to link into, the Mozilla Software Security Device? 

I think that a lot get gaim to remember passwords for
them and those are stored in plaintext on the computer.
I have about 4 accounts, however, so entering one
master password would be a great intermediate position
between the security of entering them by hand and the
convenience of storing them.

Obviously one wouldn't want gaim to need the Mozilla
suite to function, but it would save coding something
that wasn't the focus of the project and it would allow
gaim to benefit from advances made in that software.

I wish that Mozilla, KDE KWallet manufacturers and
Gnome could come together and work on a Universal
Password Manager so that smaller apps like this could
more easily benefit from their security and the user
had one program to deal with that was actually secure.
It would also encourage development of a decent
interface to that (Gui, palm pilot syncs etc); but
dreams are free and often useless!


Comment By: Luke Schierer (lschiere)
Date: 2007-04-20 11:00

Logged In: YES 
Originator: NO

As we are closing this tracker, please submit any feature request that is
still valid to http://developer.pidgin.im.  Thanks. 


Comment By: Richard Laager (rlaager)
Date: 2006-10-26 02:04

Logged In: YES 

If someone can run malicious software as your user account,
you're sunk. Period. That said, I don't object to having
optional (via a plugin, for example) support for a password
manager. I agree that a standard would be nice. Someone
should totally start on that. :)


Comment By: Kenneth Tse (kennethtse)
Date: 2006-10-25 13:42

Logged In: YES 

I also support the idea of adding a password manager in Gaim.

Yes, in the Gaim project page
(http://gaim.sourceforge.net/plaintextpasswords.php), there
is an explanation of why password encryption is not included
(and not planed to be included) in Gaim. However, I think
that's out-of-dated and does not apply to current situation.

Most IM protocols are in plain text, but not all. For
example Jabber supports TLS. And there may be more in coming
future as more people are concerning the security. The
account.xml file may be the only place the IM passwords are
stored clear text for this type of protocol.

Moreover, IM nowadays is not just simply an IM. They usually
exist as part of an integrated service with single logon
credential. Google account, Yahoo! account and the .NET
passport are examples of these. Therefore it is more
difficult to use separate passwords for IM accounts.
Exposing the passwords of them means also exposure of your
web mails, blogs, album, and etc.

Access control to the account.xml file could be one of the
workarounds. However it is not secure enough since attacker
may use malicious programs running at current user privilege
to get the file. File system level encryption (e.g. EFS of
Windows) won't work. Yes, users may use their own program to
encrypt the account.xml file but firstly this is not
user-friendly, secondly, as stated in the Gaim project page,
this is not a good solution who always have their IM on
(most people do now).

All in all, to enhance the user-friendliness and the
security of Gaim, there is a need to implement a password
manager so that:
1) user can only log on once with their master password
2) IM account passwords are not stored clear text on the
file system

Solutions can be something like how Mozilla
Firefox/Thunderbird does.


Comment By: Eduardo Perez Ureta (eperez)
Date: 2004-12-08 08:57

Logged In: YES 

For reference (if you haven't read it)


You can respond by visiting: 

This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
Gaim-features mailing list

Reply via email to