[Blink] Blink stores plain word passwords in its config file?

[Emil Ivov]

На 24.11.10 10:01, Dan Pascu написа:
> It wouldn't have made a difference if it was encrypted. Unless it uses  
> something that requires your input in order to be decrypted, which is  
> basically equivalent to not putting it in the config file but asking  
> the user for it every time blink starts

Not quite, since you could use a single "master password" to encrypt
credentials for all your accounts.

> I wonder how many users would be fine with being asked for every  
> account's password every time they start blink. 

Yes, that's exactly where a "master password" is a lesser evil.

> The conclusion is that there is no magic solution that will  
> automatically make it secure for anyone in any use case. The user  
> needs to understand security and he needs to know exactly what can be  
> used in what situation.

Indeed it would be great if all users understood the risks of what they
were doing but this is simply never going to happen. In the mean time
applications could still do their best to protect them even if it isn't
foolproof. We all lock our doors even though we are fully aware there
are tons of ways for burglars to get past this :).

While encrypting with a master password does not prevent users from
someone modifying the application, it still gives them protection in a
whole bunch of other scenarios like for example a stolen PC or remotely
stolen config files.

I understand that this is not a priority for Blink, and I actually find
this reasonable. After all the OS does provide you with various ways of
protecting your data so passwords, even when in plain text, are not
completely unprotected. Most users would hence be fine with the current
state of Blink. However, there's no reason to claim that doing anything
more than that would be pointless.

Cheers,
Emil