IM, Email Passwords Are Stored as Plain Text - Page 8 - maemo.org

Jaffa | # 71 | 2010-01-18, 13:41 | Report

Originally Posted by zwer View Post

So, a guy that knows how to write an app, or inject his malicious code into some other app, and convince you to download and install it, will have more trouble getting your obfuscated passwords than those written in plain text? Come on...

And if said app can be downloaded through App Manager? Or a file can be uploaded through the browser to a remote machine? Or someone can copy & paste a single command to ROT13 a file, or Base-64 decode it.

ewan | # 72 | 2010-01-18, 13:42 | Report

It's pretty obvious that the correct solution here is an encrypted store for the passwords on the filesystem, and an keyring process that keeps the unencrypted ones only in memory and hands them out to authorised applications. In other words, the exact same solution as everyone else already uses for this on other platforms (e.g. Gnome keyring, KDE's Wallet, Firefox's password/certificate store).

What seems to be lacking is any will to actually implement that.

zwer | # 73 | 2010-01-18, 13:42 | Report

Asterisks on password entry (or even unixesque blind password entry) exists purely because someone might be looking over your shoulder - on my home PC I'd pretty much like an option to remove them... On a mobile device those are useful because you cannot control your environment and you never know who is looking over your shoulder.

Password storage is a whole different thing - it exists because of convenience (not having to type passwords whenever you want to connect to some service). If you want to implement some security measures there - you have to give up on the convenience, as simple as that.

The Following 3 Users Say Thank You to zwer For This Useful Post:
Andre Klapper, frals, sjgadsby

frals | # 74 | 2010-01-18, 13:44 | Report

Originally Posted by Venomrush View Post

For example:
ATM it's difficult to know thats apps on Extras got anything harmful in them...I believe it is reasonably easy to slip in a code to send accounts.cfg with passwords in plain text back

Which is why we have... http://wiki.maemo.org/Extras-testing/QA_Checklist

Originally Posted by

Security risks

The main security risks are financial damage, access to private data and harm to device components. If you find such risk in an application then you need to report it and the app can't be uploaded to Extras until a deeper analysis has been done with favourable results.

The Following User Says Thank You to frals For This Useful Post:
Andre Klapper

hqh | # 75 | 2010-01-18, 13:48 | Report

Originally Posted by twaelti View Post

I can't believe the sheer arrogance of the ideologic "security folks", preaching supersecurity or none at all.
In practice, having weak security IS better than no security.

Which is worse?
a) Thinking your passwords are safe while in reality they are not
b) Knowing your passwords are not safe (if your device is in wrong hands)

Yes there is always the "passwords are safe from your mom and little brother but not someone who knows what he's doing" option, but it will lead many users to "a".

The Following 4 Users Say Thank You to hqh For This Useful Post:
frals, javispedro, sjgadsby, zwer

Matan | # 76 | 2010-01-18, 13:49 | Report

Originally Posted by PhilE View Post

You're a firefox user? Try running one of your stored passwords through this:

Unfortunately for you, your example proves the opposite of your point. Firefox has the option to encrypt all your saved passwords using a master password.

Venomrush | # 77 | 2010-01-18, 13:49 | Report

Bug has been marked as INVALID

Oh well, a major fail for N900/Maemo

The Following User Says Thank You to Venomrush For This Useful Post:
mullf

NvyUs | # 78 | 2010-01-18, 13:50 | Report

Originally Posted by hqh View Post

Which is worse?
a) Thinking your passwords are safe while in reality they are not
b) Knowing your passwords are not safe (if your device is in wrong hands)

Yes there is always the "passwords are safe from your mom and little brother but not someone who knows what he's doing" option, but it will lead many users to "a".

well most off us until today have been duped already by option A. thinking they was safe
I'm sure if many people knew was told option B before they hit submit to purchase they would not of got the device at all

Last edited by NvyUs; 2010-01-18 at 13:53.

zwer | # 79 | 2010-01-18, 13:52 | Report

The `mom` argument is even more ludicrous (specially for grownups that don't live in their moms basement :P) - your mom wouldn't know where to look for the said file. If she would, chances are that she knows how to base64/whatever-fully-reversible-algorithm-is-used decode it. And yes, she might find a site on the internet that shows where the said file is, but then again, if it were obfuscated there would be instructions how to deobfuscate it.

Rob1n | # 80 | 2010-01-18, 13:52 | Report

Originally Posted by Venomrush View Post

Bug has been marked as INVALID

As it no longer appears to be happening in PR1.1, I'm not surprised.