Wednesday, November 4, 2009

Bad excuses for bad security

This document explains Pidgin's policies on storing passwords. In effect, they are:

  • Most passwords sent over IM services are plain-text, so a man-in-the-middle can sniff them.
  • Other IM clients are equally insecure.
  • You should not save the password at all because then nobody can attempt to decipher it.
  • Obfuscating passwords isn't secure. (Even though a real encrypted stored password isn't obfuscation)
  • You shouldn't store sensitive data if there is a possibility someone might try to access it.
  • It won't kill you to type your password every time you log in.
  • We would rather you use a "desktop keyring" which isn't even portable or finished being written yet.

These explanations are really a verbose way of saying "we don't feel like implementing good security." I've been using Mozilla and Thunderbird for years now with a master password, which works similarly to a desktop keychain.

The idea is simple: encrypt the passwords in a database with a central key. When the application is opened or a login is attempted, ask the user for the master password. If it is correct, unlock the database and get the credentials you need. This way only the user of the current session of the application can access the stored passwords.

What you gain is "security on disk": that is, the data on the hard drive is secure. There are still plenty of ways to extract the passwords from a running system, but if the system is compromised it's less likely an attacker can get the password if they had to extract it from disk. This is most useful for laptops and corporate workstations where you don't necessarily control access to the hard drive.

Policies like the one described above should not be tolerated in the open-source community. It's clear to anyone who actually cares about the integrity of their data that these developers are simply refusing to implement a modicum of good security because they have issues with people's perception of security. I don't agree with obfuscating passwords - if you're just scrambling it on the disk without a master password that's no security at all. But a master password allows true encryption of the password database and thus secures the data on disk.

It would be nice if we could all have encrypted hard drives and encrypted home directories. Alas, not every environment is so flexible.

No comments:

Post a Comment