where is psi-plus storing my password?
144 views
Skip to first unread message
Kevin K
Oct 16, 2019, 2:56:15 PM10/16/19
to Psi-Users
Hi,
I read that psi-plus stores account passwords obfuscated in accounts.xml, in a format that can be trivially decoded.
I wanted to check mine and instead of a random-looking string in <password>, I see a series of zeros followed by two non-zero digits. I notice that changing my password and saving it results in the last two digits increasing - i.e., the <password> string went (in this case) from 72 to 73.
When I disable gnome-keyring, saving a changed password still works. When I use seahorse to look at my stored passwords, I see my stored Pidgin password but I do not see a psi+ password.
What am I missing? Where's it being stored?
thanks
Kevin
Sergey Ilinykh
Oct 16, 2019, 4:39:13 PM10/16/19
to psi-...@googlegroups.com
By default it tries to store in the keyring manager unless it's disabled in settings trying to autodetect which one is available in your environment.
Another reason why keyring-manager can be ignored is using portable version of Psi.
When password is stored in the keyring manager it's not written to xml file at all.
I can't comment on series of zeros, never seen that.
Best Regards,
Sergey
ср, 16 окт. 2019 г. в 21:56, Kevin K <kevin...@gmail.com>:
--
You received this message because you are subscribed to the Google Groups "Psi-Users" group.
To unsubscribe from this group and stop receiving emails from it, send an email to psi-users+...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/psi-users/ddfd5c9b-3085-477c-90df-ba1e2652ee07%40googlegroups.com.
Boris Pek
Oct 17, 2019, 5:11:35 AM10/17/19
to psi-...@googlegroups.com
2) Is it built with support of desktop keyring manager?
3) If yes, check value of option: Psi+ Options --> Application --> Use system keyring manager.
Best wishes,
Boris
Kevin K
Oct 17, 2019, 10:31:50 AM10/17/19
to Psi-Users
Hi Boris,
Thanks for the reply.
The version is psi+ v1.2.109, it's the one that comes packaged with OpenSuSE 15.0. It's behaving like it's using the desktop keyring, but I don't see it when I inspect the keyring's contents. I don't see any enabling or disabling of a keyring manager specified in the source package it was built from. I also don't see any as a configure option in the source code (when I do ./configure --help).
I also don't see "use system keyring manager" under options -> Application ... could the option to disable it have been removed - with the intent to not allow it as packaged to allow the more unsafe password storage in accounts.xml?
Boris Pek
Oct 17, 2019, 10:55:41 AM10/17/19
to psi-...@googlegroups.com
Hi,
> The version is psi+ v1.2.109, it's the one that comes packaged with OpenSuSE 15.0. It's behaving like it's using the desktop keyring, but I don't see it when I inspect the keyring's contents. I don't see any enabling or disabling of a keyring manager specified in the source package it was built from. I also don't see any as a configure option in the source code (when I do ./configure --help).
>
> I also don't see "use system keyring manager" under options -> Application ... could the option to disable it have been removed - with the intent to not allow it as packaged to allow the more unsafe password storage in accounts.xml?
You use very old version of Psi+. In according to git logs (see psi-plus-snapshots repo) QtKeychain support was added since Psi+ 1.2.145. Also that code was significantly improved since then.
BTW current version of Psi+ is 1.4.913...
Best wishes,
Boris
> The version is psi+ v1.2.109, it's the one that comes packaged with OpenSuSE 15.0. It's behaving like it's using the desktop keyring, but I don't see it when I inspect the keyring's contents. I don't see any enabling or disabling of a keyring manager specified in the source package it was built from. I also don't see any as a configure option in the source code (when I do ./configure --help).
>
> I also don't see "use system keyring manager" under options -> Application ... could the option to disable it have been removed - with the intent to not allow it as packaged to allow the more unsafe password storage in accounts.xml?
BTW current version of Psi+ is 1.4.913...
Best wishes,
Boris
Kevin K
Oct 17, 2019, 1:14:32 PM10/17/19
to Psi-Users
If I were having a problem with this version, I would be happy to try a newer one. It's working great - I just need to know where it's keeping my password!
thanks
Kevin
Boris Pek
Oct 17, 2019, 3:31:33 PM10/17/19
to psi-...@googlegroups.com
> If I were having a problem with this version, I would be happy to try a newer one. It's working great - I just need to know where it's keeping my password!
In your version of program your password from XMPP account is stored in accounts.xml file in encrypted format.
To decrypt it you may use our special service:
https://psi-plus.com/tmp/passwordrecovery.html
or write your own program based on Psi+ sources.
Best wishes,
Boris
Kevin K
Oct 21, 2019, 7:28:16 AM10/21/19
to Psi-Users
On Thursday, October 17, 2019 at 3:31:33 PM UTC-4, Boris Pek wrote:
> If I were having a problem with this version, I would be happy to try a newer one. It's working great - I just need to know where it's keeping my password!
In your version of program your password from XMPP account is stored in accounts.xml file in encrypted format.
... but it's not. I saw it stored that way in earlier versions, but as mentioned in my initial post, in my accounts.xml file I just see:
Boris Pek
Oct 21, 2019, 9:17:36 AM10/21/19
to psi-...@googlegroups.com
>> In your version of program your password from XMPP account is stored in accounts.xml file in encrypted format.
>
> ... but it's not. I saw it stored that way in earlier versions, but as mentioned in my initial post, in my accounts.xml file I just see:
>
> " instead of a random-looking string in <password>, I see a series of zeros followed by two non-zero digits. I notice that changing my password and saving it results in the last two digits increasing - i.e., the <password> string went (in this case) from 72 to 73."
Your assumptions about "random-looking string" have nothing common with reality.
>
> ... but it's not. I saw it stored that way in earlier versions, but as mentioned in my initial post, in my accounts.xml file I just see:
>
> " instead of a random-looking string in <password>, I see a series of zeros followed by two non-zero digits. I notice that changing my password and saving it results in the last two digits increasing - i.e., the <password> string went (in this case) from 72 to 73."
Current algorithm has not being changed for many years. Just look in program sources if you do not believe me.
If you do not understand algorithm in sources, you may test password decryption using this service:
https://psi-plus.com/tmp/passwordrecovery.html
And you will see that stored hex string contains exactly your password for specific jid.
Best wishes,
Boris
Kevin K
Oct 22, 2019, 8:02:31 AM10/22/19
to Psi-Users
Boris,
I understand what you're saying, and I've seen and decrypted my own password from an old accounts.xml file.
My current account is not storing the password in accounts.xml. The line in that file is:
<password type="QString">000000000000000000000072</password>
When I change and update my Jabber password, that number increments. My password is being stored elsewhere. I do not see an entry for it in the gnome-keyring. Where else can I look for it?
Виталий Тонкачеев
Oct 22, 2019, 8:06:59 AM10/22/19
to Psi-Users
Try to find an xmpp item in gnome-keyring. All psi passwords sholud be there
вторник, 22 октября 2019 г., 15:02:31 UTC+3 пользователь Kevin K написал:
вторник, 22 октября 2019 г., 15:02:31 UTC+3 пользователь Kevin K написал:
Dealer_WeARE
Oct 22, 2019, 4:18:00 PM10/22/19
to Psi-Users
What about the last one option?
среда, 16 октября 2019 г., 21:56:15 UTC+3 пользователь Kevin K написал:
Reply all
Reply to author
Forward
0 new messages