Decoding/Decrypting passwords in your .xml file

As you may have noticed your passwords in your .xml file are encrypted. Although one may argue that this is fake security, it does make sure that an intruder can't get your password if you're not logged in at that moment. Also, someone looking over your shoulders can't easily steal your passwords just like that.

If for any reason you do want to decode the password (for example if you forgot it, but do still remember your BitlBee password), you can use the -x flag to bitlbee. A few examples:

wilmer@peer:~/src/bitlbee$ cat wilmer.xml
<user nick="wilmer" password="g2NoCazlK5frSm+p5KpXu740qfph" version="1">
        <account protocol="msn" handle="wilmer@bitlbee.org" password="tj6AI0XThUe3E9+M20VZE5js" autoconnect="1">
        </account>
</user>
wilmer@peer:~/src/bitlbee$ ./bitlbee -x chkhash g2NoCazlK5frSm+p5KpXu740qfph pom
Hash matches given password.
wilmer@peer:~/src/bitlbee$ ./bitlbee -x dec pom tj6AI0XThUe3E9+M20VZE5js
fakepassword

NOTE: "pom" is just used in this example. Replace it with whatever your identify password is.

Run bitlbee -x to get a list of all possible commands. For example, you can use bitlbee -x hash to generate a new password hash if you want to change your password because you forgot your old one. When doing that, also replace all account password strings (bitlbee -x enc generates those) since they won't decrypt properly anymore.

How secure is this encryption by the way?

Your identify password (in the user attribute in the example above) is not encrypted, but MD5-hashed (with five bytes of salt, so not vulnerable to rainbow tables). All IM passwords (in the account attributes) are first padded with random data to make it harder to guess password length, and then encrypted using RC4 with your identify-password as the key with salt and some other measures to make it sufficiently secure.

BitlBee Wiki: DecodingPasswords (last edited 2010-08-22 07:55:54 by Wilmer)