= Decoding/Decrypting passwords in your .xml file =

As you may have noticed your passwords in your .xml file are encrypted. Although one may argue that this is fake security, it does make sure that an intruder can't get your password if you're not logged in at that moment. Also, someone looking over your shoulders can't easily steal your passwords just like that.

If for any reason you do want to decode the password (for example if you forgot it, but do still remember your !BitlBee password), you can use the `-x` flag to `bitlbee`. A few examples:

{{{
wilmer@peer:~/src/bitlbee$ cat wilmer.xml
<user nick="wilmer" password="g2NoCazlK5frSm+p5KpXu740qfph" version="1">
	<account protocol="msn" handle="wilmer@bitlbee.org" password="tj6AI0XThUe3E9+M20VZE5js" autoconnect="1">
	</account>
</user>
wilmer@peer:~/src/bitlbee$ ./bitlbee -x chkhash g2NoCazlK5frSm+p5KpXu740qfph pom
Hash matches given password.
wilmer@peer:~/src/bitlbee$ ./bitlbee -x dec pom tj6AI0XThUe3E9+M20VZE5js
fakepassword
}}}

'''NOTE:''' "pom" is just used in this example. Replace it with whatever your identify password is.

Run `bitlbee -x` to get a list of all possible commands. For example, you can use `bitlbee -x hash` to generate a new password hash if you want to change your password because you forgot your old one. When doing that, also replace all account password strings (`bitlbee -x enc` generates those) since they won't decrypt properly anymore.

== How secure is this encryption by the way? ==

Your identify password (in the `user` attribute in the example above) is not encrypted, but MD5-hashed (with five bytes of salt, so not vulnerable to rainbow tables). All IM passwords (in the `account` attributes) are first padded with random data to make it harder to guess password length, and then encrypted using RC4 with your identify-password as the key with salt and some other measures to make it sufficiently secure.