Hello.
I have a question about Using Pidgin. When I use Pidgin for open my Gtalk or... Can Pidgin Encrypt my Username and Password or it transfer them in clear text ? Can Third person sniff my password?
What is your idea?

Thank you.

This question is easily answered by searching "how does pidgin store user credentials?" in a search engine.
The best way to store your password in Pidgin, is to not store it. Rather enter it each time your log into your account(s) by unchecking "save password" in each account page settings.

Is OP worried about credentials being stolen in transmission during logging in or during storage?
There really isn't a risk with storing passwords plaintext as long as no one else has physical access that you don't trust.
During normal usage, permissions of 600 is enough.

If you suspect that it is possible that someone will attempt to gain physical access and access files, you should consider full disk encryption. This would solve the problem of plain text passwords anyways.

He is worried about how the user credentials are being stored from what I can tell.


Full disk encryption only works if the machine is powered off. If you are booted up, the disks have to be decrypted.

Correct. If the computer is powered up, my assumption is the someone who can unlock them is also a trusted person of that computer.
Otherwise, a "untrusted" person will have no access or ability to "override" permissions. My example is with windows, I can access any file in a reboot by live booting. Full disk encryption would prevent that.

The reason I'm not sure is this:

Hopefully the OP can clarify.

Some of my information may be incomplete, as I am very tired and about to head to bed.

Yes, a man in the middle attack is possible. It is possible to use a packet sniffer and a ssl stripper to decrypt and display encrypted passwords. It is also definitely possible to view entire SSL encrypted conversations on any network using this same method.

The easiest man in the middle attack to carry out is an ARP poisoning attack on a local area network. Another such attack uses DNS poisoning to redirect a victim to the attacker, where the attacker then forwards traffic to its originally intended destination, after it has been decrypted.

The strength of the SSL encryption does not play a role in preventing such an attack since the traffic being intercepted is effectively being rerouted on the attacker's machine. The act of rerouting the traffic on the local host, allows the attacker full access to manipulating the SSL session.

On the internet, the best way to circumvent this is to use trusted networks, assure openssl is up to date, and that you are not a victim of DNS poisoning either. The only way to circumvent ARP poisoning is to force static ARP tables on all hosts on your LAN so that the router is never confused about who is who on the network. By "use trusted networks", I mean that you should not log onto google talk (or any other sensitive service) on a public or untrusted network, untrusted VPN, over Tor, or using public proxies.

Apart from that information, I really do not feel comfortable sharing what software tools are used to carry out such an attack on a public forum. A quick google will tell you how it's done; the information is not hard to find.

Pidgin does not transfer your password in clear text if you force Pidgin to use SSL. In fact, I believe Google Talk will not allow you to log in unless you use secure settings, such as SSL.

Please see: https://support.google.com/a/answer/49147?hl=en

I mean is that if I enter my password for login to Gtalk via Pidgin, The pidgin transfer my password for check by google in clear text or not?

Are you agree with Tor?

I do not understand what you mean by this.

I mean is that If I configure Pidgin for using Tor, Can third Person hijack my password?

Tor is not meant to increase security. Tor is mean to increase anonymity.

If you enable 2 factor authentication in your Google account and use app passwords, it will add an extra layer of security to your account. 2 factor authentication will not prevent your communications from being intercepted (possible decrypted) while it (can possibly) passes through tor exit nodes that are issuing a MITM attack. It is never a good idea to use network services on networks that are unstrusted, such as Tor.

Tor is meant to anonymize it's users. Using an account that easily identifies you, like google talk, is pointless since it defeats the purpose of Tor.

If you want to use a proxy for google talk, your best bet is to set up your own VPN using a virtual private server or a dedicated server. Though this still does not fully secure your communications, since the chat session still needs to make it's way across the internet to Google's servers.

If you are that worried about user credentials or communications being intercepted, you should set up your own jabber service (or IRC service) on a server you control. Then allow your friends to connect to it over a VPN that runs on this same server. This is the most secure way to use instant messaging services, and will have the highest security (if set up correctly) in securing your communications, as well as user credentials. This method is also far more anonymizing since you control the chat server logs, who accesses it, its level of security, its level of encryption, and nothing goes over the internet.

I just want to know when I enter my password in Pidgin, The pidgin encrypt it on my PC and the send it to google or send it as clear text to google.

I've answered this several different ways. I will simplify.

Yes.

Thank you.