[Blink] Blink stores plain word passwords in its config file?

[Dan Pascu]

On 24 Nov 2010, at 11:51, Emil Ivov wrote:

> На 24.11.10 10:01, Dan Pascu написа:
>> It wouldn't have made a difference if it was encrypted. Unless it  
>> uses
>> something that requires your input in order to be decrypted, which is
>> basically equivalent to not putting it in the config file but asking
>> the user for it every time blink starts
>
> Not quite, since you could use a single "master password" to encrypt
> credentials for all your accounts.

Indeed.

> While encrypting with a master password does not prevent users from
> someone modifying the application, it still gives them protection in a
> whole bunch of other scenarios like for example a stolen PC or  
> remotely
> stolen config files.

At the risk of repeating myself, if anyone is worried about lost/ 
stolen computers they should encrypt their filesystem. Much safer and  
simpler than to encrypt every application's data. Not to mention that  
you are asked for a master password to unlock it only once when you  
boot, not for every application that stores sensitive data on the disk.

> I understand that this is not a priority for Blink, and I actually  
> find
> this reasonable. After all the OS does provide you with various ways  
> of
> protecting your data so passwords, even when in plain text, are not
> completely unprotected. Most users would hence be fine with the  
> current
> state of Blink. However, there's no reason to claim that doing  
> anything
> more than that would be pointless.

None claimed that. My sole point is that these will only generate a  
false sense of security without really improving anything. I would  
rather have users aware of the issues and ask themselves what can they  
do to really protect themselves given their particular use case,  
rather then feel secure when they're not.

--
Dan