undefined | Better HN

0 points1amzave15y ago0 comments

A word of warning on Prey -- I looked into it myself and last I checked, it stores your email password unencrypted in a plain text file in your filesystem. Better still, a comment in the file describes it as "base64 encrypted". Sure, your average laptop thief is probably too clueless to run the trivial command to "decrypt" it, but it still strikes me as highly irresponsible of the developer.

That alone was plenty to convince me not to install it.

EDIT: it still does: https://github.com/tomas/prey/blob/master/config#L44

0 comments

11 comments · 4 top-level

there15y ago· 7 in thread

aside from mac os which has an encrypted keychain, how do you expect a password to be stored that is used by open source software, which has to be accessible by software that cannot prompt the user for a password?

orborde15y ago

You're right. To me, it's not their use of (effectively) plaintext that is worrisome. It's that the developer characterizes base64 as "encryption", which tells me that they don't even understand the security implications. As an example of a non-worrying response, here's Pidgin's documentation on their choice not to encrypt passwords: http://developer.pidgin.im/wiki/PlainTextPasswords

tomaspollak15y ago

"Having our passwords in plaintext is more secure than obfuscating them precisely because, when a user is not misled by a false sense of security, he is likely to use the software in a more secure manner."

I must say I don't agree with the Pidgin devs. They think that the user will use the software in a more secure manner because they assume he's aware that the password is stored in cleartext.

That may be true on 1% of the cases. But the other 99% of the people probably don't have a clue, and they wouldn't even know where to find the accounts.xml file in the first place.

cookiecaper15y ago

I'm not convinced that the appearance of that terminology in the file means the developer is unaware of the difference between encoding and encrypting something. I think we all know the meanings of some words, but continue to misuse them out of convenience and/or habit. It can be difficult to break such a habit. Perhaps you should simply include a patch that will reword the file in the correct manner. :)

1amzaveOP15y ago

Well, as you say OSX has the keychain (which is encrypted, and has command-line access tools). I think most Linux systems have something similar ('keyctl' on my system). I know nothing of Windows, but I would hope something analagous exists there too.

I mean, mail clients such as Thunderbird can be set up to safely remember passwords without storing them in cleartext, right? So clearly it's feasible...

there15y ago

no, thunderbird and firefox store passwords in a sqlite database. unless you have its "master password" set (which encrypts the contents with that password) then everything is in cleartext.

1 more reply

papercruncher15y ago

For Windows you can use the DPAPI, take a look at http://msdn.microsoft.com/en-us/library/ms995355.aspx. Of course if the intruder has your credentials then he can create a process to steal the encrypted passwords, but at least he can't just read the file by mounting the FS somewhere else

biot15y ago

Every hour, generate a random passphrase and output it to a source file. Trigger an automated compile of the project and bake it into the executable which is then auto-bundled into the installer. Upon installation, generate an additional random passphrase and concatenate the two together to form the symmetric encryption key. It's still security through obscurity, but it's a hell of a lot better than base64 encoding.

cool-RR15y ago

I looked at my own Prey installation and found this password, but it was just "password", apparently because I don't use the email feature. So it only affects the users of this feature.

catch2315y ago

Well, you don't need to use your primary email username/password. It only uses this to deliver mail. Just create a new one for the purposes of Prey.

tomaspollak15y ago

As someone noted, this only applies for the old standalone mode, as Prey needs to store your SMTP password in order to send the report via email later.

Most people use Prey + Control Panel nowadays. :)

j / k navigate · click thread line to collapse

0 comments

11 comments · 4 top-level

there15y ago· 7 in thread

orborde15y ago

tomaspollak15y ago

I must say I don't agree with the Pidgin devs. They think that the user will use the software in a more secure manner because they assume he's aware that the password is stored in cleartext.

That may be true on 1% of the cases. But the other 99% of the people probably don't have a clue, and they wouldn't even know where to find the accounts.xml file in the first place.

cookiecaper15y ago

1amzaveOP15y ago

I mean, mail clients such as Thunderbird can be set up to safely remember passwords without storing them in cleartext, right? So clearly it's feasible...

there15y ago

no, thunderbird and firefox store passwords in a sqlite database. unless you have its "master password" set (which encrypts the contents with that password) then everything is in cleartext.

1 more reply

papercruncher15y ago

biot15y ago

cool-RR15y ago

I looked at my own Prey installation and found this password, but it was just "password", apparently because I don't use the email feature. So it only affects the users of this feature.

catch2315y ago

Well, you don't need to use your primary email username/password. It only uses this to deliver mail. Just create a new one for the purposes of Prey.

tomaspollak15y ago

As someone noted, this only applies for the old standalone mode, as Prey needs to store your SMTP password in order to send the report via email later.

Most people use Prey + Control Panel nowadays. :)

j / k navigate · click thread line to collapse