tin 1.40 creates the .tin directory with insecure permissions, which allows local users to read passwords from the .inputhistory file.