I'm all for security and really like encryption (my Notebook's harddrive is encrypted, I've recently got a GPG Smartcard, ...) but sometimes you see big failes where security is atemted but doesn't actually secure anything but only hinders the legitimate user.

Today one of these candidates ate way to much of my time again. I'm currently getting more and more used to GNU Emacs and currently experimenting with emacs-jabber. Therefore copying my jabber accounts over from psi. As with these passwords you never type in I couldn't remember some of my jabber passwords -- no problem psi has to store them so it should be easy to get them, right?

Well actually not. The configuration file (XML) had a password entry but all that was in it was just obviously hex-encoded numbers. These numbers turned out to be be 16bit packages of characters that are XOR-ed against the JID So now you have to read them in in junks of 16bit, XOR them against the JID and get the password.

Time to recapitulate what this security helped. I've written a hacky 10 lines C Program that can reliably retrieve passwords from any config file I might come across. Seems you can do the same in 2 lines of perl. Ergo no security at all was added.

Next question: What did it cost? Needed an hour or so of researching the encryption and trial&error out the right program fragment. For nothing gained at all. Fail.

I suppose you reported bug against Psi?

While I agree that this is not strong security, you need to see security in the context of where it's used.

Unless they use strong encryption, and force you to enter a password every time you start up, you can always reverse engineer their cipher. This is especially true for open source, where a simple print statement in the right place is all you need.

And while you could argue that measures like these may lead a user to believe they are secure when they are not, a cipher like this will at least stop a casual snooper.

And that is probably all they devs intended, in this case.

Such obfuscation tricks exist not to secure the configuration file against an attacker, but to avoid exposing the password to a well-meaning person, such as a sysadmin or techie trying to help the user with the program in question and looking at the configuration file.

This is a same kind of security as displaying stars instead of actual password in a text field. No more, no less.

Yeah maybe I should just fill a feature request bug asking for *some* way to get at the passwords from within the program, a bit like firefox' password manager.

Not sure whether you really understand "security".... Storing passwords plain is just fine for such kinds of programs, as they rely on a secure system, where nobody but you can read those files.
If your system is compromised, you have other problems anyway and any attacker could grab even encrypted files at some place in memory.

And it does make sense to apply some easy translation like hex-encoding, to prevent human readers to accidentally read a password...

The versions in the <a href=http://www.arcteryx-outlet.com>Arc'teryx Jackets</a> catalogue things such as LT-jackets and SV hooded ones, the latter are manufactured as the Blazers to hardest outward meteorological conditions encounter. The outer nylon layer Gossamera and also the Home layer of polyurethane support maintaining the heavy water resistance, when the hood is worn, layers of collateral to your head to provide. Certainly, disposition be the <a href=http://www.arcteryx-outlet.com/mens-arcteryx-coats>Mens Arcteryx</a> Atom important weather Hooded Jackets of the largest ski and snowshoe routines and are much too ideal as a replacement for climbing! The plastic Coreloft, spear-carrier broad layers with the <a href=http://www.arcteryx-outlet.com/arcteryx-beta-jacket>Arcteryx Beta Jacket</a>, serves the insulation with the greatest je sais quoi as well as factor, where the discredit scores gives the breathability of the jacket be your conquering hero could supply, with all operations beneath the arm and sun-up flashlight pounds. Be involved in billed representing those travelling with <a href=http://www.arcteryx-outlet.com>Arcteryx</a> clique!