Re: Fwd: about accounts file
El día Saturday, August 24, 2013 a las 03:53:21PM -0400, Ethan Blanton escribió: Tres Finocchiaro spake unto us the following wisdom: I've never much understood Pidgins perspective on this. Even base64 is obscure enough to keep a human from reading it over the shoulder. Unless your password is very, very bad, a base64 encoding of the password should be of roughly similar complexity. Therefore, anyone who can remember your password can remember the base64 -- and reverse it. Not sure about this; $ echo password | openssl enc -base64 cGFzc3dvcmQK While one can easy see with a short eye shoot and remember the token 'password', it is not so easy pickup from the screen the token 'cGFzc3dvcmQK'. matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
Matthias Apitz spake unto us the following wisdom: El día Saturday, August 24, 2013 a las 03:53:21PM -0400, Ethan Blanton escribió: Unless your password is very, very bad, a base64 encoding of the password should be of roughly similar complexity. Therefore, anyone who can remember your password can remember the base64 -- and reverse it. Not sure about this; $ echo password | openssl enc -base64 cGFzc3dvcmQK While one can easy see with a short eye shoot and remember the token 'password', it is not so easy pickup from the screen the token 'cGFzc3dvcmQK'. Right -- if your passwords are *really really bad* and stupid, it matters. If that's the case, though, you need to get new passwords ASAP. My passwords are things like Oj4=puC/8jq, which is of similar complexity to that base64 string. Please reread my original statement. Ethan signature.asc Description: Digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
El día Sunday, August 25, 2013 a las 09:04:42AM -0400, Ethan Blanton escribió: Right -- if your passwords are *really really bad* and stupid, it matters. If that's the case, though, you need to get new passwords ASAP. My passwords are things like Oj4=puC/8jq, which is of similar complexity to that base64 string. Please reread my original statement. Not really of the same complexity: $ pwgen 8 8 Aishaem9 es1iHaod oiVie3ah daith5Oh IHooZ9Sh ieDao2po oHeepae0 xainaXo5 $ echo iZeetah8 | openssl enc -base64 aVplZXRhaDgK $ echo 'Oj4=puC/8jq' | openssl enc -base64 T2o0PXB1Qy84anEK matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
Matthias Apitz spake unto us the following wisdom: $ echo 'Oj4=puC/8jq' | openssl enc -base64 T2o0PXB1Qy84anEK If your assertion is that someone will remember Oj4=puC/8jq but not T2o0PXB1Qy84anEK, then your argument has descended into the realm of the absurd. To effectively snatch either one they're going to have to either see it for a long time, see it many times, or take some sort of photo/record. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
And similarly, if your argument, that all passwords must be difficult to type and must be near impossible to read over the shoulder or else they are REALLY BAD, which in turn makes the user STUPID seems naive and ignorant to any basic practical, efficient, easy to remember methods of memorization. The password: Eth@ngoesoutofh1swaytocr3ategreatpasswords! Is more complex than your example and not subject to a common rainbow attack. In addition, also requires less memorization to retain, since it relies on relational ideas in our of long term memory. To call someone stupid for choosing this password seems a big harsh on a percentage of the population that's going to *better* lengths to secure their data. Stating password1 is stupid is accurate for several reasons, however, does that in turn make all easily retainable passwords stupid as well? I for one tend to choose something closer to a sentence over hard to type and remember character strings? Am I and most people I know doing it wrong? Is there something about passwords WE are naive to? On Aug 25, 2013 12:50 PM, Ethan Blanton e...@pidgin.im wrote: Matthias Apitz spake unto us the following wisdom: $ echo 'Oj4=puC/8jq' | openssl enc -base64 T2o0PXB1Qy84anEK If your assertion is that someone will remember Oj4=puC/8jq but not T2o0PXB1Qy84anEK, then your argument has descended into the realm of the absurd. To effectively snatch either one they're going to have to either see it for a long time, see it many times, or take some sort of photo/record. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
El día Sunday, August 25, 2013 a las 12:49:45PM -0400, Ethan Blanton escribió: Matthias Apitz spake unto us the following wisdom: $ echo 'Oj4=puC/8jq' | openssl enc -base64 T2o0PXB1Qy84anEK If your assertion is that someone will remember Oj4=puC/8jq but not T2o0PXB1Qy84anEK, then your argument has descended into the realm of the absurd. To effectively snatch either one they're going to have to either see it for a long time, see it many times, or take some sort of photo/record. I think 'Oj4=puC/8jq' is much easier to memorize due to the fact, that it has 3 groups of 3 chars each: Oj4 puC 8jq, separated by '=' and '/', while the token T2o0PXB1Qy84anEK is much complex to memorize, don't you agree? Btw: I'm fine with storing the pws in clear text in pidgin, because it is a personal computer, and one will not bring them on the screen without knowing why he/she is doing that. matthias -- Matthias Apitz | /\ ASCII Ribbon Campaign: www.asciiribbon.org E-mail: g...@unixarea.de | \ / - No HTML/RTF in E-mail WWW: http://www.unixarea.de/ | X - No proprietary attachments phone: +49-170-4527211 | / \ - Respect for open standards ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
Tres Finocchiaro spake unto us the following wisdom: And similarly, if your argument, that all passwords must be difficult to type and must be near impossible to read over the shoulder or else they are REALLY BAD, which in turn makes the user STUPID seems naive and ignorant to any basic practical, efficient, easy to remember methods of memorization. I didn't call anyone stupid. Pay attention. Your argument here is still wrong and bogus. The password: Eth@ngoesoutofh1swaytocr3ategreatpasswords! You're not going to be able to memorize this in just a second or two looking over someone's shoulder, either. It's hard to parse English sentences without spacing, your brain is going to replace the changed letters automatically, etc. -- so you're going to have to spend a second to memorize and get it right to use it later. Now, you're correct that the base64 of *that* is much harder to memorize, but ... who cares? What are you protecting against? Now you're just throwing straw men up. I'm going to leave off your whole rant about doing passwords right or wrong. I don't care how you choose your password. If it's a good password, it's going to be hard for a third party to memorize in a glimpse. It's also going to be hard to memorize in base64, but all you've done is tricked naive users into thinking their accounts.xml is safe and letting Mallory stare at it as long as he wants. You're on the losing end of this argument. The right solution to this problem is a password manager, not bogus obfuscation. We're LONG overdue for a password manager, but bickering about base64 on the mailing list isn't going to make that happen. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
Matthias Apitz spake unto us the following wisdom: I think 'Oj4=puC/8jq' is much easier to memorize due to the fact, that it has 3 groups of 3 chars each: Oj4 puC 8jq, separated by '=' and '/', while the token T2o0PXB1Qy84anEK is much complex to memorize, don't you agree? That's a random accident. The base64 could have been broken up into clusters just as likely as the random string I posted. If you want to exclude all passwords *and* base64s of passwords that might be easily shoulder-surfable based on the mnemonic tricks used by the current observer ... that's a hard problem. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
On 08/24/2013 11:13 AM, Fernando Jung wrote: is there any way to encrypt the ~/.purple/accounts.xml files? in it is all my accounts setting saved as plain text, including my passwords, which is not very secure Please see: https://developer.pidgin.im/wiki/PlainTextPasswords In 3.0.0, which is under development, we will support keyring systems, which will allow you to encrypt your passwords in the keyring rather than store them within the pidgin configuration. Kevin signature.asc Description: OpenPGP digital signature ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
I've never much understood Pidgins perspective on this. Even base64 is obscure enough to keep a human from reading it over the shoulder. The Unix argument seems to be pragmatic and naive in an Active Directory dominated industry. I for one agree with the OP, clear text is frightening to see, regardless of the technicalities around how secure it is. Love pidgin tho... :) -Tres On Aug 24, 2013 2:49 PM, Kevin Stange ksta...@pidgin.im wrote: On 08/24/2013 11:13 AM, Fernando Jung wrote: is there any way to encrypt the ~/.purple/accounts.xml files? in it is all my accounts setting saved as plain text, including my passwords, which is not very secure Please see: https://developer.pidgin.im/wiki/PlainTextPasswords In 3.0.0, which is under development, we will support keyring systems, which will allow you to encrypt your passwords in the keyring rather than store them within the pidgin configuration. Kevin ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support
Re: Fwd: about accounts file
Tres Finocchiaro spake unto us the following wisdom: I've never much understood Pidgins perspective on this. Even base64 is obscure enough to keep a human from reading it over the shoulder. Unless your password is very, very bad, a base64 encoding of the password should be of roughly similar complexity. Therefore, anyone who can remember your password can remember the base64 -- and reverse it. The Unix argument seems to be pragmatic and naive in an Active Directory dominated industry. I for one agree with the OP, clear text is frightening to see, regardless of the technicalities around how secure it is. Good. It should be frightening. That's the point. Ethan ___ Support@pidgin.im mailing list Want to unsubscribe? Use this link: http://pidgin.im/cgi-bin/mailman/listinfo/support