The open source Spark IM client from Ignite Realtime has a feature that can save the user's password - this password is stored insecurely due to the use of a static encryption key. The password is stored in a file called "spark.properties" and is encrypted with Triple DES in ECB mode. The problem is that the key used to encrypt it is static (see source file "Encryptor.java") thus all users of the application share a single key to 'protect' their password. Because of this, it's trivial to write a tool to scan for and decrypt these passwords. The Base64 encoded key is: ugfpV1dMC5jyJtqwVAfTpHkxqJ0+E0ae I've written a simple tool (link below) that will scan a system (Windows only) and provide a list of recovered user names and passwords; to simplify auditing, it can also scan remote systems by using the administrative share. To perform this scan, the attacker needs to have access to the user's profile directory either via local administrator privileges or misconfigured permissions. Spark is often used with the Openfire jabber server (also from Ignite Realtime) as an internal IM solution, and can be configured to use LDAP for authentication - which makes the recovered credentials far more interesting. As of the current version (2.6.3), there does not seem to be a way to disable this feature. More details: http://adamcaudill.com/2012/07/27/decrypting-spark-saved-passwords/ Decryption Tool: https://github.com/adamcaudill/sparkim-passview Spark: http://www.igniterealtime.org/projects/spark/ My apologies if this had been previously documented; in my research I was unable to find anything.