IM, Email Passwords Are Stored as Plain Text

Member's Online

Page 3 of 15 | Prev | 1 2 3 4 5 13 | Next | Last

HeinzHarald | # 21 | 2010-01-18, 11:53 | Report

FYI I just tried adding a Google Talk account and logging in. Didn't show my password.

Edit: so to sum it up that's PR1.1 flashed, never taken a backup, no passwords showing in accounts.cfg for MSN, ICQ or Google Talk, though I've never been online with ICQ.

Last edited by HeinzHarald; 2010-01-18 at 11:57.

EmmaGx | # 22 | 2010-01-18, 11:54 | Report

... ooops ... that contains three of my passwords!

Rob1n | # 23 | 2010-01-18, 11:56 | Report

I have backed up (non protected), and neither my Ovi nor my Skype password are in the file. I've also had to restore from backup, and the Skype account wasn't recreated afterwards - I don't think the Ovi one was either, but I can't be sure.

Stskeeps | # 24 | 2010-01-18, 11:56 | Report

FWIW, unless you type in a passphrase upon startup of your device, there's no sane way to have encrypted passwords. The usual 'encrypted' passwords people see are usually a static passphrase and about as secure as a broken padlock. Yes, there's unencrypted passwords in gconf and other places. If they were to be truely encrypted we would need the TPM from Maemo6 devices. They have to be unencrypted as you would need to unlock it for the application each time it uses it.

The Following 14 Users Say Thank You to Stskeeps For This Useful Post:
Andre Klapper, andree, ArnimS, epage, hqh, Jaffa, javispedro, jjx, lma, lorelei, pelago, qwerty12, ragnar, sjgadsby

maxximuscool | # 25 | 2010-01-18, 11:56 | Report

damn, scary bug.
how do we fix that? all my password are in plaintext.This could lead to easy trojan data info collecting which lead to destructions.

o.o may god help us......

Venomrush | # 26 | 2010-01-18, 11:57 | Report

My question now is where does .rtcom-accounts\accounts.cfg get its data from to the backup and whether or not that's protected as well?

Rob1n | # 27 | 2010-01-18, 11:57 | Report

Perhaps this has been fixed and it's only accounts created prior to PR1.1 which still have passwords in?

The Following User Says Thank You to Rob1n For This Useful Post:
Andre Klapper

Andre Klapper | # 28 | 2010-01-18, 12:00 | Report

Originally Posted by MartinNZ View Post

also I've noticed that the autocomplete function caches my passwords too. Yesterday a frend of mine was composing an email with my N900 and the device suggested my passwords to him. Grr

That's fixed in 2.2009.51-1, see https://bugs.maemo.org/show_bug.cgi?id=5419 . Please always mention which version you are running.

The Following 3 Users Say Thank You to Andre Klapper For This Useful Post:
OVK, Rob1n, sjgadsby

Andre Klapper | # 29 | 2010-01-18, 12:01 | Report

Originally Posted by MartinNZ View Post

ive updated my firmware and it is still happening. just checked.

Of course it will as your dictionary file does not get overwritten. I don't think you want to start teaching the N900 from scratch?
You have to remove that string from the dictionary first...

Andre Klapper | # 30 | 2010-01-18, 12:02 | Report

So, what is the proposal here? base64 encoding which takes simply one command more to decrypt?

The Following User Says Thank You to Andre Klapper For This Useful Post:
sjgadsby

Page 3 of 15 | Prev | 1 2 3 4 5 13 | Next | Last