Feature Requests item #1035240, was opened at 2004-09-26 22:14 Message generated for change (Comment added) made by lschiere You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350235&aid=1035240&group_id=235
Please note that this message will contain a full copy of the comment thread, including the initial issue submission, for this request, not just the latest update. Category: core Group: None >Status: Closed Resolution: None Priority: 5 Private: No Submitted By: Aaron W (luna-tick) Assigned to: Nobody/Anonymous (nobody) Summary: Password manager for IM logins Initial Comment: Any possibility of providing an implementation of, or option to link into, the Mozilla Software Security Device? I think that a lot get gaim to remember passwords for them and those are stored in plaintext on the computer. I have about 4 accounts, however, so entering one master password would be a great intermediate position between the security of entering them by hand and the convenience of storing them. Obviously one wouldn't want gaim to need the Mozilla suite to function, but it would save coding something that wasn't the focus of the project and it would allow gaim to benefit from advances made in that software. I wish that Mozilla, KDE KWallet manufacturers and Gnome could come together and work on a Universal Password Manager so that smaller apps like this could more easily benefit from their security and the user had one program to deal with that was actually secure. It would also encourage development of a decent interface to that (Gui, palm pilot syncs etc); but dreams are free and often useless! ---------------------------------------------------------------------- Comment By: Luke Schierer (lschiere) Date: 2007-04-20 11:00 Message: Logged In: YES user_id=28833 Originator: NO As we are closing this tracker, please submit any feature request that is still valid to http://developer.pidgin.im. Thanks. ---------------------------------------------------------------------- Comment By: Richard Laager (rlaager) Date: 2006-10-26 02:04 Message: Logged In: YES user_id=156487 If someone can run malicious software as your user account, you're sunk. Period. That said, I don't object to having optional (via a plugin, for example) support for a password manager. I agree that a standard would be nice. Someone should totally start on that. :) ---------------------------------------------------------------------- Comment By: Kenneth Tse (kennethtse) Date: 2006-10-25 13:42 Message: Logged In: YES user_id=1629871 I also support the idea of adding a password manager in Gaim. Yes, in the Gaim project page (http://gaim.sourceforge.net/plaintextpasswords.php), there is an explanation of why password encryption is not included (and not planed to be included) in Gaim. However, I think that's out-of-dated and does not apply to current situation. Most IM protocols are in plain text, but not all. For example Jabber supports TLS. And there may be more in coming future as more people are concerning the security. The account.xml file may be the only place the IM passwords are stored clear text for this type of protocol. Moreover, IM nowadays is not just simply an IM. They usually exist as part of an integrated service with single logon credential. Google account, Yahoo! account and the .NET passport are examples of these. Therefore it is more difficult to use separate passwords for IM accounts. Exposing the passwords of them means also exposure of your web mails, blogs, album, and etc. Access control to the account.xml file could be one of the workarounds. However it is not secure enough since attacker may use malicious programs running at current user privilege to get the file. File system level encryption (e.g. EFS of Windows) won't work. Yes, users may use their own program to encrypt the account.xml file but firstly this is not user-friendly, secondly, as stated in the Gaim project page, this is not a good solution who always have their IM on (most people do now). All in all, to enhance the user-friendliness and the security of Gaim, there is a need to implement a password manager so that: 1) user can only log on once with their master password 2) IM account passwords are not stored clear text on the file system Solutions can be something like how Mozilla Firefox/Thunderbird does. ---------------------------------------------------------------------- Comment By: Eduardo Perez Ureta (eperez) Date: 2004-12-08 08:57 Message: Logged In: YES user_id=60347 For reference (if you haven't read it) http://gaim.sourceforge.net/plaintextpasswords.txt ---------------------------------------------------------------------- You can respond by visiting: https://sourceforge.net/tracker/?func=detail&atid=350235&aid=1035240&group_id=235 ------------------------------------------------------------------------- This SF.net email is sponsored by DB2 Express Download DB2 Express C - the FREE version of DB2 express and take control of your XML. No limits. Just data. Click to get it now. http://sourceforge.net/powerbar/db2/ _______________________________________________ Gaim-features mailing list Gaim-features@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/gaim-features