[SOLVED] Can Pidgin Messenger Encrypt my Password?
Linux - SecurityThis forum is for all security related questions.
Questions, tips, system compromises, firewalls, etc. are all included here.
Notices
Welcome to LinuxQuestions.org, a friendly and active Linux Community.
You are currently viewing LQ as a guest. By joining our community you will have the ability to post topics, receive our newsletter, use the advanced search, subscribe to threads and access many other special features. Registration is quick, simple and absolutely free. Join our community today!
Note that registered members see fewer ads, and ContentLink is completely disabled once you log in.
If you have any problems with the registration process or your account login, please contact us. If you need to reset your password, click here.
Having a problem logging in? Please visit this page to clear all LQ-related cookies.
Get a virtual cloud desktop with the Linux distro that you want in less than five minutes with Shells! With over 10 pre-installed distros to choose from, the worry-free installation life is here! Whether you are a digital nomad or just looking for flexibility, Shells can put your Linux machine on the device that you want to use.
Exclusive for LQ members, get up to 45% off per month. Click here for more info.
Hello.
I have a question about Using Pidgin. When I use Pidgin for open my Gtalk or... Can Pidgin Encrypt my Username and Password or it transfer them in clear text ? Can Third person sniff my password?
What is your idea?
This question is easily answered by searching "how does pidgin store user credentials?" in a search engine.
Quote:
Quoted From: https://developer.pidgin.im/wiki/PlainTextPasswords
Purple does not now and is not likely to encrypt the passwords in the accounts.xml file, nor is it likely to be encrypted in a future release.
The best way to store your password in Pidgin, is to not store it. Rather enter it each time your log into your account(s) by unchecking "save password" in each account page settings.
Is OP worried about credentials being stolen in transmission during logging in or during storage?
There really isn't a risk with storing passwords plaintext as long as no one else has physical access that you don't trust.
During normal usage, permissions of 600 is enough.
If you suspect that it is possible that someone will attempt to gain physical access and access files, you should consider full disk encryption. This would solve the problem of plain text passwords anyways.
He is worried about how the user credentials are being stored from what I can tell.
Quote:
Originally Posted by Sefyir
Is OP worried about credentials being stolen in transmission during logging in or during storage?
There really isn't a risk with storing passwords plaintext as long as no one else has physical access that you don't trust.
During normal usage, permissions of 600 is enough.
If you suspect that it is possible that someone will attempt to gain physical access and access files, you should consider full disk encryption. This would solve the problem of plain text passwords anyways.
Full disk encryption only works if the machine is powered off. If you are booted up, the disks have to be decrypted.
He is worried about how the user credentials are being stored from what I can tell.
Full disk encryption only works if the machine is powered off. If you are booted up, the disks have to be decrypted.
Correct. If the computer is powered up, my assumption is the someone who can unlock them is also a trusted person of that computer.
Otherwise, a "untrusted" person will have no access or ability to "override" permissions. My example is with windows, I can access any file in a reboot by live booting. Full disk encryption would prevent that.
The reason I'm not sure is this:
Quote:
Can Pidgin Encrypt my Username and Password or it transfer them in clear text ? Can Third person sniff my password?
Some of my information may be incomplete, as I am very tired and about to head to bed.
Quote:
Originally Posted by hack3rcon
Can Third person sniff my password?
Yes, a man in the middle attack is possible. It is possible to use a packet sniffer and a ssl stripper to decrypt and display encrypted passwords. It is also definitely possible to view entire SSL encrypted conversations on any network using this same method.
The easiest man in the middle attack to carry out is an ARP poisoning attack on a local area network. Another such attack uses DNS poisoning to redirect a victim to the attacker, where the attacker then forwards traffic to its originally intended destination, after it has been decrypted.
The strength of the SSL encryption does not play a role in preventing such an attack since the traffic being intercepted is effectively being rerouted on the attacker's machine. The act of rerouting the traffic on the local host, allows the attacker full access to manipulating the SSL session.
On the internet, the best way to circumvent this is to use trusted networks, assure openssl is up to date, and that you are not a victim of DNS poisoning either. The only way to circumvent ARP poisoning is to force static ARP tables on all hosts on your LAN so that the router is never confused about who is who on the network. By "use trusted networks", I mean that you should not log onto google talk (or any other sensitive service) on a public or untrusted network, untrusted VPN, over Tor, or using public proxies.
Apart from that information, I really do not feel comfortable sharing what software tools are used to carry out such an attack on a public forum. A quick google will tell you how it's done; the information is not hard to find.
Can Pidgin Encrypt my Username and Password or it transfer them in clear text ?
Pidgin does not transfer your password in clear text if you force Pidgin to use SSL. In fact, I believe Google Talk will not allow you to log in unless you use secure settings, such as SSL.
Some of my information may be incomplete, as I am very tired and about to head to bed.
Yes, a man in the middle attack is possible. It is possible to use a packet sniffer and a ssl stripper to decrypt and display encrypted passwords. It is also definitely possible to view entire SSL encrypted conversations on any network using this same method.
The easiest man in the middle attack to carry out is an ARP poisoning attack on a local area network. Another such attack uses DNS poisoning to redirect a victim to the attacker, where the attacker then forwards traffic to its originally intended destination, after it has been decrypted.
The strength of the SSL encryption does not play a role in preventing such an attack since the traffic being intercepted is effectively being rerouted on the attacker's machine. The act of rerouting the traffic on the local host, allows the attacker full access to manipulating the SSL session.
On the internet, the best way to circumvent this is to use trusted networks, assure openssl is up to date, and that you are not a victim of DNS poisoning either. The only way to circumvent ARP poisoning is to force static ARP tables on all hosts on your LAN so that the router is never confused about who is who on the network. By "use trusted networks", I mean that you should not log onto google talk (or any other sensitive service) on a public or untrusted network, untrusted VPN, over Tor, or using public proxies.
Apart from that information, I really do not feel comfortable sharing what software tools are used to carry out such an attack on a public forum. A quick google will tell you how it's done; the information is not hard to find.
I mean is that If I configure Pidgin for using Tor, Can third Person hijack my password?
Tor is not meant to increase security. Tor is mean to increase anonymity.
If you enable 2 factor authentication in your Google account and use app passwords, it will add an extra layer of security to your account. 2 factor authentication will not prevent your communications from being intercepted (possible decrypted) while it (can possibly) passes through tor exit nodes that are issuing a MITM attack. It is never a good idea to use network services on networks that are unstrusted, such as Tor.
Tor is meant to anonymize it's users. Using an account that easily identifies you, like google talk, is pointless since it defeats the purpose of Tor.
If you want to use a proxy for google talk, your best bet is to set up your own VPN using a virtual private server or a dedicated server. Though this still does not fully secure your communications, since the chat session still needs to make it's way across the internet to Google's servers.
If you are that worried about user credentials or communications being intercepted, you should set up your own jabber service (or IRC service) on a server you control. Then allow your friends to connect to it over a VPN that runs on this same server. This is the most secure way to use instant messaging services, and will have the highest security (if set up correctly) in securing your communications, as well as user credentials. This method is also far more anonymizing since you control the chat server logs, who accesses it, its level of security, its level of encryption, and nothing goes over the internet.
LinuxQuestions.org is looking for people interested in writing
Editorials, Articles, Reviews, and more. If you'd like to contribute
content, let us know.