Re: IM, Email Passwords Are Stored as Plain Text
 

Exactly. I keep hearing the argument "if the user knows the passwords are being stored as plaintext they'll be more careful with the file" but I had no idea they were being stored as plaintext until this thread appeared.

Although, it sounds like the issue may have been resolved in this update?

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

I dunno, but, damn, whoever wrote that FAQ needs a strong lesson in proper pronoun usage.

Re: IM, Email Passwords Are Stored as Plain Text
 

I was on more about the attitude of security via strong passphrases and of course the attitude that seems to be pushed out via the Pidgin FAQ of understanding >>>>> then weak security measures.... I do wonder what the Firefox dev who wrote the saved passwords module thinks about their weak security model?

In terms of the N900, I think what needs to be done now is some way of sanitising the file that stored the passwords from pre PR1.1 days!

Re: IM, Email Passwords Are Stored as Plain Text
 

Why do you falsely claim that Firefox uses a weak security model for saved passwords?

Re: IM, Email Passwords Are Stored as Plain Text
 

I'm not, I'm trying to be sarcastic :p

I'm just taking what is said by some posters on the thread (and from the Pidgin FAQ) and applying it to the fact that Firefox does save passwords locally. With Firefox it actually does save the passwords locally and encrypts them and it recommends the user to use a master password to ensure at least the passwords are not easily grabbed between sessions.

Re: IM, Email Passwords Are Stored as Plain Text
 

Without using the Master Password, Firefox, prior to 3.5, stores the passwords as securely as Pidgin as all you need is a proper base64 decoder (Firefox itself will suffice, javascript:atob("<base64 encoded username/pass here>") ) - the passwords are just a tad bit harder to get. Since the 3.5 version (on which microB is based as well) the things are more complicated as you need to read the signons.sqlite file (although the important data will be visible in a text editor) and then requires an extra step as it obviously encrypts the data (hence the key3.db even if no Master Password is used) with some for me unknown string, but if looked hard enough, it can be found as it's accessible to the browser without user input.

When using the Master Password, and one that can be considered a quality password at that (i.e. 12+ characters of mixed case, numbers and puncuation with no dictionary words or dates), it's one of the safest ways to store (unfortunately not to use, as it can be sniffed during the entry phase) passwords. And I'm all for it, somebody should file an enhacement request.

What I am against is calling the current system insecure just because it stores the passwords in plain text, and recommending base64/ROT13/whatever to make it more secure. It wouldn't, just like no other app that don't use keychain/master password/other means of proper encryption (with some added inconvinience to the end user) is not storing the passwords securely. This thread itself proves why a plain text storage is more secure - if it was obfuscated, many people would falsely think that their passwords are safe (just like they think for the microB passwords, even tho they are just as accessible).

Re: IM, Email Passwords Are Stored as Plain Text
 

I agree with everything you said apart from this last line. How does it prove it is more secure? Most people don't even know that their passwords are being stored in plain txt. If the app warns of how the password is stored when the user tries to store it then what you said would be true!

Re: IM, Email Passwords Are Stored as Plain Text
 

The thing is that rarely any app out there, which stores passwords locally, warns you on how your passwords are insecure. How is it any different than some other (Trillian, Miranda, even Digsby when `Auto Login` used...) IM? They all store locally passwords either plain text, or at best base64/ROT13 encoded.

If ~/.rtcom-accounts/accounts.cfg stored the passwords using base64/ROT13/something similar this thread wouldn't even exist in the first place, and users would falsely think that their passwords are safe, where in fact they are not. They are not safe in the microB browser as well, but are just fairly harder to retrieve. If somebody has a physical access to your device, you are not any safer with non-encrypted (with user/3rd party input) passwords as you are with plain text stored passwords.

I agree that some warning would be useful (education wise), but generally we need to educate people that nothing is secure if it's stored locally, and does not require further input and/or additional non-local based keys. Nothing! What use is to do that for the mail/telepathy/microB, when a user can install some third party software (for example FB widget, don't know how it stores the passwords tho) that will do just the same thing.

In the current situation, the easiest solution would be if the devs allowed to create an account without entering the password in the first place, and for careful users to enter their password each time they login to some service. Either that, or some sort of Master Password / keyring partition. Both should be filled as a feature request, I'd gladly vote for them.

Re: IM, Email Passwords Are Stored as Plain Text
 

Just because the norm is to encourage, or have some insecure method of storing passphrases doesn't mean it should be taken as the best method of doing something. The idea that storing passphrases locally is bad, and therefore no security is better then some, _without_ educating the user is flawed imho.

If we look beyond the single application, to the user environment, we already have tried and tested methods such as the gnome keyring (etc) which provide a certain level of protection between sessions. Sure a trojan (or admin) can grabbed those passwords during the session, but does that mean they shouldn't use it?

If we take the above reasoning to the extreme then unless some token system is used, we really should enter the passphrase in _each time_ it is used. Because if an application requires access to the passphrase during the session, it doesn't matter if it is stored locally or in memory, it can be compromised. That would mean each time you access a https connection you would need to type in a passphrase, each time your wifi needs to establish you would need to type in a passphrase and so on.

Of course the above example is being silly, but the point I am trying to make is there needs to be a balance between security and usability (for the average user).

Also I firmly believe that a secure system is a combination of little measures that are transparent to the user combined with user education. When a decent server admin hardens a box, they don't just do one thing, but lots of little things which on their own don't seem much, but all together makes the box a lot harder to compromise and makes the target less tasty for the would be attacker.

A FAQ posted on a site somewhere just sounds like a prepared excuse to laugh at people who have been compromised because they just didn't know better.

Re: IM, Email Passwords Are Stored as Plain Text
 

@mahousaru

Again, we have people that understand security trying to explain it to people that don't understand it, and probably don't really care to. What people do care about is feeling secure. These are two different things, and I responded to the latter. And so did you.

stskeeps already alluded to the only known solution to having a secure device that you can loan to someone. At a minimum, it would need a boot-up password and a special chip, the reason why is left to the reader that actually gives a sh*t.

Re: Warning - Exploit found, keep N900 to yourself until it's fixed!
 

That would be completely unusable for something like SIP over UDP (the most common case, and the bug does talk about RTCOM accounts after all) which needs the password whenever it REGISTERs (every few minutes), whenever you make a call or send a message etc.

Re: IM, Email Passwords Are Stored as Plain Text
 

Discussing security on a forum can get really dry, much better in a pub with lots of booze and a rubber hose to demonstrate the most cost effective cryptanalysis :D

I can't wait for the N900 to have some TPM mechanism, probably will have to buy a new unit, but I think it will be worth it, if it can really secure a device. For now I'll keep my sensitive conf files and documents on my FDE eeepc.

Re: IM, Email Passwords Are Stored as Plain Text
 

Oh come now. Doesn't everyone see the difference between needing "cat" to see all passwords and needing to write a script?

No lock is 100% secure. Even safes and professional security is rated in time alone with an expert. I happen to have such experts as friends, since I work in IT and although I'm a Windows guru, not every friend I have is. Some are Unix admins with more than enough know-how to wonder around poking "oooh, is this your messenger config file? Does keep track of ... ooooh. Nice passwords, dork".

There's not much of a difference between a normal lock and an open door for a thief, it takes one 10 seconds to go through it. However, HAVING a lock is not only effective for 99% of the population, it is also the international sign of "stay the heck away".

And no, an one-liner is not enough security. There has to be something that is not one-liner in the terminal. A modified ROT13 would be just fine, thanks. ROT15? Don't know. But there is no ROT15 implemented in any language, you need to write one and that takes a minute on the N900 kbd.

I have the time to see him typing furiously in the terminal and look over the shoulder. Also, it's not immediately obvious that it's a ROT15 and not ROT16 or similar, making the scanning source harder to write.

I'm not asking for 100% security, or even 20% security. I'm asking you not to leave the door wide open.

The draft is killing me.

Re: IM, Email Passwords Are Stored as Plain Text
 

Well, let's assume a 15-place rotation cypher; how about the following (proof-of-concept, only deals with capitals):

Encode ("ROT15"):
Decode ("ROT-15"):
But you won't notice him Googling "maemo 5 im password decrypt" and copy & pasting the result? Or are you expecting whomever you lend your device to have memorised the file:// URL?

Do you trust them not to ring up a premium rate sex line; which they could also do and cost you actual physical money.

The point is that "no-one" knew the name of the file until it was posted here and on the bug report. Why do you think ROTx security-by-obscurity is any better than putting-the-file-somewhere-obscure security-by-obscurity?

Re: IM, Email Passwords Are Stored as Plain Text
 

This talk of how long it would take for an attacker to type in a script is misleading. All the attacker needs to do is to take a copy of the file (e.g. email it to themselves, or copy and paste it into pastebin), then they can decode the passwords at their leisure later on. So it doesn't matter how much you obfuscate the password, it might as well be plain text.

Re: IM, Email Passwords Are Stored as Plain Text
 

I do have to disagree with your conclusion. Lets use an illustration. I used to live in NY, and one thing you notice there is that about 80% of parked cars have an anti-theft device on the steering wheel called "the club". Now, everyone that owns a club knows that a thief is able to defeat the club if they want to. So, why do they spend $30 or so it costs to buy it? Well, they do so in the hope that the thief chooses one of the 20% of cars that do not have a club and that would therefore be easier and more convenient to rob.

I think something like that is what many of us would like to have on our devices. Sure, a determined hacker can break our encryption and other safeguards if they really are determined. But, lets make it a bit harder for them to do so. Maybe they won't bother with ours and just go for the easy pickings.

Re: IM, Email Passwords Are Stored as Plain Text
 

All they need to do is encrypt with a master passphrase (aka the already well used keyring) and then cracking time depends on the quality of the password and implementation of the encryption. Of course if the attacker has access to a HPC and rainbow tables it might make the job a lot quicker!

Personally I just don't get why applying good practice from initial design is so hard.

Re: IM, Email Passwords Are Stored as Plain Text
 

So PR1.1 "fixed" the issue. The passwords are no longer stored in accounts.cfg. Hurray!

Where are they stored now?

Re: IM, Email Passwords Are Stored as Plain Text
 

To revive this thread from the dead.
Some passwords are stored in gconf like WPA EMail et... not good!

The serious thing here is not passwords but everything else. If I loose my device or forget about it somewhere and someone else picks it up, if it is on he can do anything with it, if its off he can do anything but cell actions... some kind of scary.
At least a device lock code should keep people of using it without flashing both images / and eMMC1. I have overdone it but I like to be on the safe side when it comes to private data. My desktop's drives are secured with proper crypt tools my netbook got a drive lock plus crypts and anything on my phone is just opened up to the beloved people touching it. MicroB has no master password to set, Email and Wifi passwords are stored plain text in gconf and so on!

My online life is meant to be available from N900 as "always Online" device but under the current setup all things but passwords for wifi and email are available without further interaction after a reflash and everything without so even a device lock wont help that much.

Control over what is exported as mass-storage would also be nice so the turned off device does export SD only or nothing.

Re: IM, Email Passwords Are Stored as Plain Text
 

Hum... a reflash disables the device lock?

Re: IM, Email Passwords Are Stored as Plain Text
 

if the device was not shutdown in device lock mode you can power up without it needed.
For flashing I don't know if the lock mode is changed, the password stays but the delay to auto-lock is gone.

Re: IM, Email Passwords Are Stored as Plain Text
 

Yes. Unlike the lock code itself (which is saved in CAL), the setting to activate the lock is stored in GConf (/system/osso/dsm/locks/devicelock_autolock_enabled), which of course is not stored when reflashing.

Re: IM, Email Passwords Are Stored as Plain Text
 

the value here is "true" without device_lock active. maybe its the applet that needs to be true?! I believe its not stored on eMMC1 so it will be flashed away... (cant find anything telling other than that)

Re: IM, Email Passwords Are Stored as Plain Text
 

Is it fixed in PR1.3? I'm not eager to read 13 pages of text... :)

Re: IM, Email Passwords Are Stored as Plain Text
 

It would have been enough to read the first three posts and check it.

As far as I can see it has been solved.