Thursday, July 10, 2008

Security tip for Pidgin users

Pidgin is a cool IM client that supports several different protocols. It's multi-platform, fast and pretty lightweight and so is pretty popular. If you use Pidgin regularly, did you know that it stores all your user names and passwords in an unencrypted file? On Windows XP you can find the XML files at c:\documents and settings\(your username)\application data\.purple

If you are sane, you'd never save your passwords with Pidgin. The authors of the software say that no instant messaging client provides security for your passwords, so they aren't even going to try. This basically leaves password security up to you. The best approach is to simply not store passwords in Pidgin, you can use a password manager like Roboform or SplashID to store them instead.

Aside from passwords, however, there's quite a bit of potentially private information stored in this .purple folder. Not only are all your user names stored in there, along with the protocols they use, but so are your entire contact lists. If anyone wanted the lowdown on who you consider to be a buddy, all they would need to do is open up one of these .xml files.

If you must store passwords within Pidgin, or you don't like the idea of your user name and other data being left unencrypted on your machine, you might like this little hint. You can move the .purple directory to a more secure location (perhaps a Truecrypt container - ) by setting the environment variable "purplehome" to point to somewhere else on your machine. To set an environment variable in XP:-

Right-click on My Computer
Go to Properties -> Advanced tab
Click the "Environment Variables" button
In System Variables (the lower box), set a variable called purplehome with its value being the path to the new location (Example: I:\pidgin\Purple).

You then simply need to copy the .purple directory to the new location. Now, so long as you remember to un-mount your Truecrypt container when you are done yakking, your usernames/passwords and other sensitive data are fully encrypted. Moving the .purple directory might help protect against Pidgin password snooping malware too, so long as the malware doesn't know to check your "purplehome" environment variable.

A couple of caveats with this of course. When you are using Pidgin, your passwords are, of course, still unencrypted for all to see. Ideally, Pidgin would encrypt your passwords again as soon as you authenticated with MSN/Yahoo etc, but don't hold your breath for this kind of functionality happening any time soon. You can't dismount the Truecrypt container either, as Pidgin constantly writes to the xml files in the .purple folder.

Nevertheless, this approach certainly improves security a great deal over what is available by default. Yes, you could just encrypt your user data using Windows/NTFS own Encrypting File System (EFS), but a Truecrypt container generally offers better security than EFS. If you're really concerned about your privacy, Truecrypt 6 now offers a hidden operating system. Now you can not only encrypt your operating system, but hide it too. As ever, it's all about finding the right balance between convenience and security for you.

No comments: