WeeChat DevCenter

Tag - password

Entries feed

Friday, February 26 2021

Script anti_password.py

You've sent your password to the wrong window (ie: WeeChat), and it is now public, viewed by 1,500 people?
For now, you have to change your password.

For the future, a new script is now available: anti_password.py.

How does it work?

When you press Enter to send text to a buffer, the script detects if the input is a password, in two ways:

  1. If the input matches a condition: number of words, lower/upper/digit/special chars.
  2. If a secured data value is in the input (reminder: secured data is the recommended way to store all your passwords in WeeChat) (requires WeeChat ≥ 3.1).

If a password is detected, the text is not sent to the buffer (3 times with the default config).

Note: the WeeChat commands (ie /xxx) are ignored and are always sent.


There are 4 options to configure the script (see /fset anti_password for a list of options with help):

  • allowed_regex: allowed regular expression (checked first)
  • password_condition: the condition used to detect a password
  • check_secured_data: whether the script checks for secured data (disabled, input equals secured data or secured data included in input)
  • max_rejects: the number of times the same input is rejected; after this number, the input is finally sent to the buffer.

Keep your passwords safe!

Updated on 2021-03-13: added option allowed_regex.

Sunday, August 4 2013

Secured data

Secured data has been added to WeeChat: you can now encrypt your passwords or private data in a new configuration file called "sec.conf".

This configuration file is read before any other file, and the values stored inside can be used in various WeeChat or plugins/scripts options.

To add secured data, you just have to set a passphrase (not mandatory, but recommended: this will encrypt data in sec.conf instead of plain text), and then add data, for example :

/secure passphrase this is my passphrase
/secure set freenode mypassword

And then you can use that in a server password, for example :

/set irc.server.freenode.sasl_password "${sec.data.freenode}"

For more info, see /help secure.

Options for encryption

You can use different cipher/hash algorithms, by setting following options:

  • sec.crypt.hash_algo: algorithm for hash: sha224, sha256 (default), sha384, sha512
  • sec.crypt.cipher: cipher: aes128, aes192, aes256 (default)
  • sec.crypt.salt: use salt (recommended for maximum security)
  • sec.crypt.passphrase_file: file with the passphrase (optional)

Note: the cipher block mode is CFB.

The encryption

It is done in 3 steps:

  1. derive a key from the passphrase (with optional salt)
  2. compute hash of data to encrypt
  3. encrypt the hash + data (output is: salt + encrypted hash/data)

The result is put as hexadecimal string in file sec.conf.

The decryption

It is done in 3 steps:

  1. derive a key using salt and passphrase
  2. decrypt hash + data
  3. check that decrypted hash == hash of data