Pidgin is a free and open source client that lets you organize and manage your different Instant Messaging (IM) accounts using a single interface. The Off-the-Record (OTR) plug-in designed for use with Pidgin ensures authenticated and secure communications between Pidgin users.
Installing Pidgin and OTR
Version used in this guide
How-to Booklet chapter 7. Keeping your Internet Communication Private
Level: 1: Beginner, 2: Average, 3: Intermediate, 4: Experienced, 5: Advanced
Time required to start using this tool: 30 minutes
What you will get in return:
GNU Linux, Mac OS and other Microsoft Windows Compatible Programs:
Both Pidgin and OTR are available for Microsoft Windows and for GNU/Linux. Another multi-protocol IM program for Microsoft Windows that supports OTR is Miranda IM. For the Mac OS we recommend using Adium, a multi-protocol IM program that supports the OTR plugin.
Pidgin is a free and open source Instant Messaging (IM) client that lets you organize and manage your different (IM) accounts through a single interface. Before you can start using Pidgin you must have an existing IM account, after which you will register that account to Pidgin. For instance, if you have an email account with Gmail, you can use their IM service GoogleTalk with Pidgin. The log-in details of your existing IM account are used to register and access your account through Pidgin.
Note: All users are encouraged to learn as much as possible about the privacy and security policies of their Instant Messaging Service Provider.
Pidgin supports the following IM services: AIM, Bonjour, Gadu-Gadu, Google Talk, Groupwise, ICQ, IRC, MIRC, MSN, MXit, MySpaceIM, QQ, SILC, SIMPLE, Sametime, Yahoo!, Zephyr and any IM clients running the XMPP messaging protocol.
Pidgin does not permit communication between different IM services. For instance, if you are using Pidgin to access your Google Talk account, you will not be able to chat with a friend using an ICQ account.
However, Pidgin can be configured to manage multiple accounts based on any of the supported messaging protocols. That is, you may simultaneously use both Gmail and ICQ accounts, and chat with correspondents using either of those specific services (which are supported by Pidgin).
Pidgin is strongly recommended for IM sessions, as it offers a greater degree of security than alternative messaging clients, and does not come bundled with unnecessary adware or spyware which may compromise your privacy and security.
Off-the-Record (OTR) messaging is a plugin developed specifically for Pidgin. It offers the following privacy and security features:
Note: Pidgin must be installed before the OTR plugin.
**Installing Pidgin with OTR **
List of sections on this page:
Both Pidgin and its associated Off-the-Record (OTR) automated encryption and authentication engine must be installed properly for either program to work. Fortunately, the installation process for both the programs is easy and quick.
Step 1. Double click ; the Open File - Security Warning dialog box may appear. If it does, click to activate the following screen:
Figure 1: The Install Language confirmation box
Step 2. Click to activate the Welcome to the Pidgin 2.7.11 Setup Wizard screen.
Step 3. Click to activate the License Agreement screen; after you have read the License Agreement, click to activate the Pidgin 2.7.11 Setup - Choose Components window.
Step 4. Click to activate the Pidgin 2.7.11 Setup - Choose Install Location window.
Step 5. Click to accept the default installation path, and activate the Pidgin 2.7.11 Setup - Installing window to begin installing the Pidgin software.
A number of folders and files will begin installing themselves in rapid succession; after the installation process has been completed, the Pidgin 2.7.11 Setup - Installation Complete window will appear.
Step 6. Click to activate the Completing the Pidgin 2.7.11 Setup Wizard.
The following step is optional:
Step 7. Check the option, if you would like to launch Pidgin immediately.
Note: During Step 3 of the installation process, Pidgin was configured to be included in the Start > Programs list, and can be launched from there in the future.
Step 8. Click to complete installing Pidgin.
Step 1. Double click ; the Open File - Security Warning dialog box may appear. If it does, click to activate the following screen:
Figure 2: The Welcome to the pidgin-otr 3.2.0-1 Setup Wizard
Step 3. Click to activate the License Agreement screen; after you have completed reading the License Agreement, click to activate the pidgin-otr 3.2.0-1 Setup - Choose Install Location screen.
Step 4. Click to begin the installation process.
Step 5. Click to complete installing the Pidgin-OTR messaging software engine.
After you have completed installing both Pidgin and OTR, the following icon will appear in the Windows task bar:
Figure 3: The Pidgin-OTR icon outlined in black
Congratulations! You have successfully completed installing both the Pidgin and OTR programs!
There are four basic steps in the Pidgin account registration and setup process; registering an existing IM account to Pidgin, adding a correspondent or buddy as he/she is referred to in the Pidgin universe, getting your buddy to do the same, and lastly accessing the chat window for your first chat session.
Given that chat or IM sessions take place between two parties, the examples on this page describe how the various forms and windows appear to both buddies/correspondents (represented by two fictional characters, Salima and Terence) at different stages of the account registration and set up process. All examples are based on the Google Talk protocol.
Note: Before you can start using Pidgin, you must already have an Instant Messaging (IM) account with one of the providers listed in Figure 3. If you would like to create an IM account, we strongly recommend Google Talk. Please refer to section 4.0 How to Create a Google Talk Account for more information and instructions.
To register your IM account to Pidgin, perform the following steps:
Step 1. Click or select Start > Pidgin to launch Pidgin. The first time you use Pidgin, the following screen will appear:
Figure 4: The Accounts confirmation window
Step 2. Click to activate a blank Add Account window as follows:
Figure 5: The Add Account screen displaying Basic, Advanced and Proxy tabs
Step 3. Click the Protocol drop-down list to view the IM service protocols supported by Pidgin as follows:
Figure 6: The Add Account window displaying a list of supported IM protocols
Step 4. Select the appropriate IM protocol.
Note: Different IM service providers will display their specific text fields for you to fill in. Some of them are automatically filled in (for example, if you select Google Talk, the Domain text field is completed for you). However, all services require that you to enter a username and a password.
Step 5. Type in your email address (for example, firstname.lastname@example.org) in the Username field.
Step 6. Type in your password for this specific account in the Password field.
Step 7. Type a nickname you would like to be identified by in the Local Alias field. (This field is optional.)
Important: To optimise your privacy and security, do not enable the Remember password option. It means that Pidgin will prompt you for your password whenever you log in to chat on-line. Doing this prevents imposters from logging in and pretending to be you, if you happen leave your computer unattended for some time. Also, remember to select the Quit item from the Buddies drop-down menu after finishing your chat session!
A completed Add Account screen would resemble the following:
Figure 7: An example of a completed Add Account form
Tip: Google Talk, IRC, SILC and XMPP clients can easily request an encrypted connection. Please read section 5.1 How to Enable a Secure Connection for more details.
Step 8. Click to complete adding your account, and simultaneously activate an updated Accounts the Buddy List screens as follows:
Figure 8: An updated Accounts window; Figure 9: The Buddy List in Active mode
After completing these steps, you are now ready to register your Pidgin buddies, by entering their contact information.
Adding buddies or correspondents in Pidgin involves adding and saving their contact information. In the example that follows, Terence will add Salima as his buddy.
To add a buddy to your IM account in Pidgin, perform the following steps:
Step 1. Click Buddies to activate its corresponding menu, and then select the + Add Buddy... item as follows:
Figure 10: The Buddy List menu with the "Add Buddy..." item selected
This will activate the following screen:
Figure 11: The Add Buddy window
Step 2. If you have multiple accounts, select the account that corresponds to the same messaging service as your 'buddy'.
Note: Both your buddy and yourself must be using the same messaging service, even if he/she is not using Pidgin. You cannot add an ICQ or MSN buddy to a Google Talk account. However, you can register and use multiple accounts based on these supported protocols in Pidgin, whereby you may chat with one buddy over Google Talk and with another using ICQ or MSN.
Step 3. Type in your buddy's email address in the Username field.
The following step is optional.
Step 4. Type in an Alias or nickname for your buddy in the (Optional) Alias field, so that your Add Buddy form resembles the following screen:
Figure 12: An example of a completed Add Buddy form
Step 5. Click to add your buddy.
Note: This will send a message to her/him requesting his/her approval or authorisation of your buddy request, and will appear in her/his Buddy List as follows:
Figure 13: Terence's Buddy List displaying Salima as his buddy
At this point, your buddy must perform the following step:
Step 6. Click to add this person as your buddy and display her/him in your Buddy List as follows:
Figure 14: The Authorize buddy request as it appears on Salima's Buddy List
Note: In the example above, Salima's Alias or nickname is displayed, adding yet another level of identity protection.
After you have added, authorised and confirmed your Pidgin chat buddy, he/she must now do the same with your IM contact information.
In this section, our example shows how Salima will in turn add, authorise and confirm Terence as her chat buddy in Pidgin. Salima will perform steps 1 through 6 in section 2.5 How to Add a Buddy in Pidgin.
After Salima has completed steps 1 through 3, her Add Buddy window appears as follows:
Figure 15: Salima's Add Buddy window
Salima will then click to simultaneously add Terence as her buddy, and send an authorisation request to Terence as follows:
Figure 16: The Authorize buddy request as it appears to Terence
Note: If you place your cursor over a buddy in the Buddy List, an information pop-up message will appear as follows:
Figure 17: Salima's Buddy List window displaying Terence as her newly created buddy
To open an IM chat window in Pidgin, perform the following steps:
Step 1. Right click your buddy's name in the Buddy List to activate a pop-up menu listing all the tasks you can perform as follows:
Figure 18: The Buddy tasks menu
Step 2. Select the IM item from the pop-up menu to activate a typical chat window as follows:
Figure 19: A typical chat window in Pidgin
Now you are almost ready to chat with your buddy using Pidgin. First, however, you must configure the OTR engine to ensure that your chat sessions will be private and secure.
From time to time, you might find your Pidgin account has been disabled; perhaps your Internet connection has been interrupted, or your computer may have frozen. Both situations might result in your Pidgin account being improperly closed or shut down - and disabled. Fortunately, Pidgin offers a variety of ways in which to re-enable your account.
To re-enable your account(s), perform the following steps:
Step 1. Click or select Start > Pidgin to launch Pidgin.
Step 2. Open the Accounts menu, and then select the Manage Accounts item as follows:
Figure 20: The Accounts menu with the *Manage Accounts item selected (re-sized)
This will open the following screen:
Figure 21: The Accounts window (re-sized) displaying a disabled account
Step 3. Click the check box next to your account to activate the Pidgin password prompt as follows:
Figure 22: The Pidgin password prompt dialog box
Step 4. Type in your password so your own Pidgin password prompt dialog box resembles the following:
Figure 23: The Pidgin password prompt dialog box with the Enter password field completed
Step 5. Click to complete re-enabling your account as follows:
Figure 24: An example of a successfully re-enabled account
Step 6. Click to close the Accounts window.
List of sections on this page:
Both your correspondent and yourself must configure the OTR plugin before you can enable private and secure Instant Messaging (IM) sessions. Given that this OTR plugin was designed especially for Pidgin, it will automatically detect when both parties have installed and properly configured the OTR plugin.
Note: If you request a private conversation with a friend who has neither installed nor configured OTR, it will automatically send a message explaining how they can obtain the OTR plugin.
To enable the OTR plugin, perform the following steps:
Step 1. Double click or select Start > Programs > Pidgin to launch Pidgin and activate the Buddy List window (please refer to Figure 1).
Step 2. Open the Tools menu, and then select the Plugins item as follows:
Figure 1: The Buddy List window with the Plugins item selected from the Tools menu
This will activate the Plugins window as follows:
Step 2. Scroll down to the Off-the-Record Messaging option, then click its associated check box to enable it.
Figure 2: The Pidgin Plugins window with Off-the-Record Messaging selected
Step 3. Click to begin configuring the Off-the-Record Messaging windows.
Basically, there are 3 steps involved in configuring OTR properly to effectively enable private and secure IM sessions and they are explained below:
The next two steps involve securing the IM session and authenticating your buddies.
The Second Step: This involves one party requesting a private and secure messaging session with another party currently on-line.
The The Third Step involves authenticating or verifying the identity of your Pidgin buddy. (Note: In Pidgin, a buddy is anyone you correspond with during IM sessions. This process of verifying a buddy's identity is known referred to as authentication in Pidgin. This means establishing that your buddy is exactly the person who he/she is claims to be.
Secure chat sessions in Pidgin are enabled by generating a private key for the relevant account. The Off-the-Record configuration window is divided into the Config and the Known fingerprints tabs. The Config tab is used to generate a key for each of your accounts and to set specific OTR options. The Known fingerprints tab contains your friends' keys. You must possess a key for any buddy with whom you wish to chat privately.
Figure 3: The Off-the-Record Messaging screen displaying the Config tab
Step 1. To optimise your privacy, check the Enable private messaging, Automatically initiate private messaging and Don't log OTR conversations options in the Config tab as shown in Figure 3 above.
Step 2. Click to begin generating your secure key; a screen notifying you that a private key is being generated appears as follows:
Figure 4: The Generating private key confirmation box
Note: Your buddy must perform the same steps for his/her own account.
Step 3. Click after the private key (which resembles the following), has been generated:
Figure 5: An example of a fingerprint of the key generated by the OTR engine
Important: You have now created a private key for your account. This will be used to encrypt your conversations so that nobody else can read them, even if they do manage to monitor your chat sessions. The fingerprint is a long sequence of letters and numbers used to identify the key for a particular account, as shown in Figure 5 above.
Pidgin automatically saves and verifies your fingerprint, and those of your buddies, so that you will not have to remember them.
Step 1. Double-click the account of a buddy who is currently on-line to begin a new IM conversation. If both of you have the OTR plugin installed and properly configured, you will notice that a new OTR button appears at the bottom right corner of your chat window.
Figure 6: A Pidgin messaging window displaying the OTR icon outlined in black
Step 2. Click to activate its associated pop-up menu, and then select the Start private conversation item as follows:
Figure 7: The pop-up menu with the Start private conversation item selected
Your Pidgin IM window will then resemble the following screen:
Figure 8: The Pidgin IM window displaying the Unverified button
Note: Pidgin automatically begin communicating with your buddy's IM program, and generating messages whenever you attempt to enable a private and secure chat session. As a result of this, the OTR button changes to , indicating that you are now able to have an encrypted conversation with your buddy.
Warning! Although this conversation is now secure, the identity of your buddy has not been verified yet. Beware: Your buddy might actually be someone else pretending to be your buddy.
You may use one of three methods of identification to authenticate your Pidgin buddy; you could use 1). a pre-arranged secret code phrase or word, 2). pose a question, the answer to which is only known to both of you or 3) manually verify the fingerprints of your key using a different method of communication.
You can arrange a code phrase or word in advance, either by meeting each other in person or by using another communications medium (like a telephone, voice chat by Skype or a mobile phone text message). Once you both type in the same code phrase or word, your session will be authenticated.
Note: The OTR secret code word recognition feature is case sensitive, that is, it can determine the difference between capital (A,B,C) letters and lower case (a,b,c) ones. Bear this in mind when inventing a secret code phrase or word!
Step 1 . Click the OTR button in the chat window, then select the Authenticate Buddy item as follows:
Figure 9: The Unverified pop-up menu with the Authenticate buddy item selected
This will activate the Authenticate Buddy window, prompting you to select an authentication method.
Step 2. Click and select Shared Secret as follows:
Figure 10: The Authenticate buddy screen with the drop-down list revealed
Step 3. Enter the secret code word or phrase as follows:
Figure 11: The Shared Secret screen
Step 4. Click to activate the following screen:
Figure 12: The Authenticate Buddy window for a fictitious correspondent
Note: At this time your buddy will see window shown on figure 13 at his/her end and will have to enter the same code word. If they match, your session will be authenticated.
Figure 13: The Authenticate Buddy window for a fictitious correspondent
Once the session is authenticated, the OTR button will change to . Your session is now secure and you can be sure that you are really speaking with your buddy.
Another method of authenticating each other, is the question and answer method. Create a question and an answer to it. After reading the question, your buddy must type in the exact answer, and if their answer matches yours, your identity will be automatically authenticated.
Step 1. Click the OTR menu in active message window to activate its associated pop-up menu, and then select Authenticate Buddy item (please refer to Figure 9).
Figure 14: A Pidgin chat window displaying the OTR icon
An Authenticate Buddy window will pop up prompting you to choose the method for authentication.
Step 2. Click the drop-down menu and select the Question and Answer item as follows:
Figure 15: The Authenticate buddy screen
Step 3. Enter a question and its corresponding answer. This question will be sent to your buddy.
Figure 16: The Questions and Answer screen
If your buddy's answer matches yours, then your identities will have been mutually authenticated or verified, and both parties are who they claim to be!
Once the session has been authenticated, the OTR button will change to . Your session will now be secure and you can be certain of your chat buddy's identity.
Notice that when you Select > Buddy List > Tools > Plugins > Off The Record Messaging > Configure Plugin, the Known fingerprints tab now displays your buddy's account, and a message that their identity has been verified.
Figure 17: The Off-the-Record Messaging screen displaying the Known Fingerprints tab
Congratulations! You may now chat privately. The next time you and your buddy chat (using the same computers), you can skip the first and third steps, above. You should only have to request a secure connection and have your buddy accept it.
List of sections on this page:
To create a Google Talk account (which uses the XMPP communications protocol), you must first create a Gmail account.
To create a Gmail account, perform the following steps:
Step 1. Open your Internet browser, and type http://www.google.com into the browser address bar to activate your local Google home page:
Figure 1: An example of a Google Home page
Step 2. Click the Gmail link (outlined in black), as shown below:
Figure 2: The Google Home page menu bar with the Gmail link
This will activate the following screen:
Figure 3: The Gmail account home page
Step 3. Click to activate the following screen:
Figure 4: The first half of the Create an Account page
Note: The Get Started with Gmail form is too long to be reproduced in its entirety, and is divided into two basic sections in this example. As usual, the less information you volunteer, the better the privacy and security of your email communications!
Step 4. Type in the information required into the First Name, Last Name and Desired Login Name text fields. For reasons of anonymity and confidentiality however, these should not correspond to your actual first and last names.
Step 5. Click to see if your desired log-in name is available. If it is not, you may have to invent something a little more original!
Important: As you may have noticed, the Stay signed in and Enable Web History features are automatically enabled whenever you attempt to create a new account. However, both these features can also compromise your on-line privacy and security, by allowing Gmail track your on-line habits.
Step 6. Disable the Stay signed in and Enable Web History check boxes as shown in Figure 4 above and continue with the account creation process.
Figure 5: The second half of the Gmail Create an Account form
Step 7. Select a question from the Security Question drop-down list, and then type in a random combination of letters and numbers in the Answer text field, and leave the Recovery email text field blank as shown in Figure 5 above.
Step 8. Select a country listed in the Location drop-down list which corresponds to your current location.
Note: A further level of anonymity is possible if you have the opportunity to create a Gmail account while you are living in or travelling through a country that is not your country of origin or permanent residence.
Step 9. Type in the distorted word in the Word Verification field to confirm that a human is creating this account!
Step 10. Click to accept the Google Terms of Service, and activate the following page:
Figure 6: The Introduction to Gmail page
Congratulations! You have now created a Gmail account as well as a Google Talk account after completing the minimum required text fields, and by not offering superfluous or unnecessary information. Now that you have a Google Talk account, you are ready to register it to Pidgin. To learn more about registering your account to Pidgin, please refer to How to Register Your Instant Messaging Account to Pidgin. After you have done so, you may return to the following section to learn about enabling a secure connection.
Users who register and use Pidgin with a Google Talk, IRC, SILC or an XMPP compatible service, may configure Pidgin to use a secure channel or connection, otherwise known as the Secure Socket Layer (SSL) or Transport Layer Security (TLS).
To configure an SSL or TLS connection, perform the following steps:
Step 1. Click or select Start > Pidgin to launch Pidgin, and activate the Buddy List.
Step 2. Open the Accounts menu and select your account to activate its associated sub-menu, and then select the Edit account item as follows:
Figure 7: The Accounts menu displaying a Pidgin account with the Edit account item selected
This will activate the Modify Account window, and display the default Basic tab as follows:
Figure 8: The Modify Account menu with displaying the default Basic tab
Note: If you already have a Gmail account, registered to Pidgin, the Modify Account window will appear as shown in Figure 8 above.
Step 3. Click the Advanced tab to configure it as follows:
Figure 9: The Modify Account screen displaying the Advanced tab
Step 4. Select the Use old-style SSL to automatically enable a secure channel over which your messaging session can take place.
Step 5. Type talk.google.com into the Connect server text field.
Step 6. Click to save your settings, and then click the Proxy tab as follows:
Figure 10: The Modify Account screen displaying the Proxy tab
Step 7. Select the Use Global Proxy Settings item if this is not the default setting, and then click to enable a secure connection between your correspondent and yourself.
Portable Pidgin is a free and open source client that lets you organize and manage your different Instant Messaging (IM) accounts using a single interface. The Portable Off-the-Record (OTR) plug-in designed for use with Pidgin ensures authenticated and secure communications between Pidgin users.
Given that portable tools are not installed on a local computer, their existence and use will remain undetected. However, keep in mind that your external device or USB memory stick, and portable tools are only as safe as the computer you are using, and may risk being exposed to adware, malware, spyware and viruses.
There are no other differences between Portable Pidgin and the version designed to be installed on a local computer.
To begin downloading and extracting Portable Pidgin, perform the following steps:
Step 1. Click http://portableapps.com/apps/internet/pidgin_portable to be directed to the appropriate download site.
Step 2. Click to activate its associated Source Forge download page.
Step 3. Click to save the installation file to your computer; then navigate to it.
Step 4. Double click ; the Open File - Security Warning dialog box may appear. If it does, click to activate the following screen:
Figure 1: The Language Installer window
Step 5. Click to activate the following screen:
Figure 2: The Pidgin Portable | PortableApps.com window
Step 6. Click to activate the following screen:
Figure 3: The Choose Components window
Note: Click to enable the option, and include multilingual support if you would prefer to use Portable Pidgin in a language other than English. Enabling this option will make the extraction process a little bit longer.
Step 7. Click to activate the Choose Install Location window, and then click to activate the following screen:
Figure 4: The Browse for Folder window
Step 8. Navigate to the destination external hard drive or USB memory stick, select it and then click to confirm its location, and to return to the Choose Install Location window.
Step 9. Click to begin extracting Portable Pidgin to the specified folder; then click to complete the installation process.
Step 10. Navigate to your destination external drive or USB memory stick, as shown in Figure 5 below, and then open it to confirm that the Portable Pidgin program was successfully extracted.
Figure 5: The Browse for Folder window
Before you may begin using Portable Pidgin in a safe and secure manner, you must first download and extract its complementary portable Off-the-Record (OTR) plugin.
Step 1. Click http://sourceforge.net/projects/portableapps/files/Pidgin-OTR%20Portable/Pidgin-OTR%20Portable%203.2%20Rev%202/ to be directed to the appropriate download site.
Step 2. Click to activate the Pidgin-OTR_Portable_3.2_Rev_2.paf.exe download window, and then click to save the installation file to your computer.
Step 3. Double click to Open File - Security Warning dialog box may appear. If it does, click to activate the Installer Language window (please refer to Figure 1).
Step 4. Click to activate the Pidgin-OTR Portable | PortableApps.com window (please refer to Figure 2 to which it resembles).
Step 5. Click to activate the Choose Install Location window (please refer to Figure 3 above to which it resembles).
Step 6. Click to activate its associated Browse for Folder window (please refer to Figure 4 above).
Step 7. Navigate to the destination external hard drive or USB memory stick, select it and then click to confirm its location, and to return to the Choose Install Location window.
Step 8. Click to begin extracting Portable Pidgin to the specified folder; click to complete the installation process.
Step 9. Navigate to your destination external drive or USB memory stick, as shown in Figure 5 above, and then open the Portable Pidgin program folder.
Step 10. Double click to launch Portable Pidgin.
Please refer to the Pidgin chapter to begin configuring and using it.
Installing Pidgin and OTR
Both Claudia and Pablo have successfully installed and set up Pidgin and its associated OTR encryption and authentication engine. Both have spent a couple of hours exploring different features and options, and experimenting with chatting to each other using both Google Talk and other accounts based on different IM protocols supported by Pidgin.
However, Pablo still has a few questions about Pidgin-OTR.
Q: Can I use Pidgin-OTR to chat with friends in both MSN and Yahoo?
A: Although Pidgin-OTR supports a number of chat and messaging services, you have to use the same provider to initiate an IM session with your buddy. You both need to use an MSN or a Google Talk account for example. However, in Pidgin you can register and be on-line with several IM accounts simultaneously. That's the beauty of using a multi-protocol IM client.
Q: How may I access my Pidgin-OTR account on another computer?
A: You would have to generate a new private key to use with your IM account on that computer. You can start a conversation with your buddy using this new key, but you will need to authenticate your session again.
Q: What if I forget the login password for my IM account? Or what if someone steals it? Will they have access to my past and future conversations?
A: Pablo, this is an excellent and very important question. First of all, if you forget your password, you will have to generate a new IM account. After that, you must inform your buddy about your new account by calling her/him, by Skype, or using secure email or voice-chat.
Finally, you must authenticate each other as buddies. If someone has somehow obtained your IM password, that person could attempt to impersonate you when using Pidgin. Fortunately, he/she won't be able to authenticate the session without your shared code word. As such, your buddy may become suspicious. That's why authentication is so important. Furthermore, if you followed the instructions above and set the recommended preferences in the OTR 'Config' tab, then even someone who steals your password won't have access to your past conversations, since you chose not to record them.