Archive

Posts Tagged ‘secure storage’

Pidgin can save passwords in KWallet

July 15, 2010 29 comments

Pidgin is a multi-protocol multi-account instant messenger based on GTK. Although I am a KDE user myself, I like Pidgin more than KDE’s instant messenger (Kopete) – for reasons that I will not discuss here. Still, I hope Kopete will get better eventually.

I use 3 accounts simultaneusly with Pidgin and having 3 password pop-up boxes every time I start it is quite daunting. It kindly offers to remember the passwords for me but it uses a plaintext file for that (the same file it saves the accounts data in).

If “remember password” is checked for one of the accounts just try something like the command below and you (and other people who have access to your files) can see it.

grep 'password' .purple/accounts.xml
result:
<password>yourpassword</password>

I don’t think that’s ok, not even for my box at home let alone the one at the office. At home it is a bit paranoia, I agree, but at work there are good chances that someone would need access to my box so I would have to give them the user or root password, or they could just use a live cd, or any other means of getting access to the files. So I implemented a Pidgin plugin that allows saving the passwords in KWallet. KWallet is a secure storage system for sensitive data such as passwords. Besides the C/C++ API it offers a decent DBus interface which applications can use to store and retrieve data (my plugin uses it too).

Using LibPurple-KWallet-plugin

Saving the passwords is just as elegant as the built-in method. In fact, once the plugin is installed the passwords are saved automatically on connect for each account and reused from the storage the next time they are needed. The remember password check-box should be off else the passwords will be saved in the plain text file also!

Pidgin Asks for Access to the KWallet Prompt Screenshot

Pidgin Asks for Access to the KWallet

Read more…

Advertisements