therock | # 41 | 2010-01-18, 12:43 | Report

i have the PR1.1 fw installed and i had plain password in that file too

but i removed all the IM services and added them again and took a backup and the password does not show up anymore in that file... hmm

NvyUs | # 42 | 2010-01-18, 12:45 | Report

there's too many stupid excuses coming up in this thread, if it was apple iphone it would already be on the lunch time news about it.
there is no other device in my possession what allows the exploit of passwords via a simple type of few words in a web browser and saying dont let it out your hands is not a solution. How is easy would it be for family and friends to spy on each other and yes it does happens amongst insecure people..
lastly how easy would it be for someone to code something to feed that data to a server?

GameboyRMH | # 43 | 2010-01-18, 12:49 | Report

Storing passwords in plaintext EVER =



Seriously, it's about 3 more lines of code to encrypt it!

---

Last edited by GameboyRMH; 2010-01-18 at 12:51.

hqh | # 44 | 2010-01-18, 12:54 | Report

Like already mentioned, providing a false sense of security through obscuring the passwords would do no good either. They would still be easily accessible by determined "friends"/family members and malicious programs.

reviver | # 45 | 2010-01-18, 12:57 | Report

Funny thing is we probably wouldn't even be having this conversation if Nokia had done ROT-13 on those.

On the other hand somebody might now be thinking their passwords are safe.

Stskeeps | # 46 | 2010-01-18, 12:57 | Report

Bring it on, show us I'm willing to bet that we will be able to dissect anything you come up with due to the physical access to device.

NvyUs | # 47 | 2010-01-18, 12:57 | Report

but why leave the door open to even make it easy for non tech minded people

SubCore | # 48 | 2010-01-18, 12:58 | Report

you know, if you go to "file:///home/user/.ssh/id_rsa", you can see the PRIVATE key file of the N900's user! omg!

seriously, i bet the iPhone and android do the same basically, the exact location might be a bit more obscure, but it certainly isn't "encrypted" there, either.

saving as a hashed string might be enough to soothe concerns here, and should be fairly easy to implement.

ruskie | # 49 | 2010-01-18, 13:01 | Report

You are aware that the private key is usually encrypted as well

And it can be any other name Hell it could be anywhere else at that
A salted md5 hash would probably more or less avoid many of the concerns.

Stskeeps | # 50 | 2010-01-18, 13:02 | Report

A salted MD5 hash won't help you autologin to your favourite IM.