[sylpheed:32965] Re: feature request - master password to protect all account passwords

Hiroyuki Yamamoto hiro-y at kcn.ne.jp
Thu May 7 15:06:11 JST 2009 

Hello,

Sorry for the delayed response, because I was away on vacation.

On Sat, 2 May 2009 10:31:29 -0700 (PDT)
stef <stef_204 at yahoo.com> wrote:

> 
> --- On Sat, 5/2/09, Bob White <bob at bob-white.com> wrote:
> 
> > From: Bob White <bob at bob-white.com>
> > Subject: Re: [sylpheed:32959] Re: feature request - master password
> > to protect all account passwords To: sylpheed at sraoss.jp
> > Cc: stef_204 at yahoo.com, sylpheed at sraoss.jp
> > Date: Saturday, May 2, 2009, 8:48 AM
> > On Sat, 2 May 2009 07:30:51 -0700 (PDT)
> > stef <stef_204 at yahoo.com> wrote:
> > 
> > > 
> > > Hi,
> > > 
> > > Just a quick summary on this security issue:
> > > 
> > > Actually there are 2 issues: a) protect against
> > someone gaining access to Sylpheed by starting it up and
> > doing send/receive.
> > > b) protect against someone reading
> > .sylpheed-2.0/accountrc
> > > 
> > > The only things I can think of for a) are:
> > > 
> > > 1) Lock my session if I leave my desk at work; for
> > those whom do not use a Desktop Manager (KDE, Gnome, etc.)
> > but only a Window Manager (fluxbox, Openbox, etc.) it is a
> > bit complicated.
> > > 
> > > 2) Protect the .sylpheed-2.0/accountrc file with
> > proper permissions:
> > > 
> > > Mine is:
> > > % ls -l .sylpheed-2.0/accountrc
> > > -rw------- 1 stef stef 10641 2009-05-01 00:09
> > .sylpheed-2.0/accountrc
> > > 
> > > But the above doesn't help with anyone gaining
> > access as "myself" when my box is running but I am
> > away from my desk.
> > > 
> > > 3) Do not store the passwords: not a very good option
> > as I check over 10 accounts and use complex passwords very
> > difficult to remember.  So that would be too inconvenient.
> > > 
> > > The model 'passwords behind a password',
> > meaning a master password that would encrypt/decrypt (or a
> > gpg signature) the .sylpheed-2.0/accountrc file and then
> > lets Sylpheed read it would seem to make sense.  But
> > developer efforts to implement need to be considered, as the
> > developer's time might be better served in focusing on
> > email features rather than security features.  Hiro's
> > feedback on this issue would be nice.
> > > 
> > > That summarizes my view of this issue.
> > > 
> > > Thanks.
> > > 
> > 
> > To implement a quasi secure accountrc file it would be
> > fairly
> > straightforward.  Instead of starting sylpheed directly,
> > run a script:
> > 1) decrypt sylpheedrc
> > 2) run sylpheed
> > 3) sylpheed exits -> encrypt sylpheedrc
> > 
> > I'm not sure how to implement this with MS Windows. 
> > Maybe a Windows
> > expert can tell us. :)
> > 
> > Your account passwords are encrypted unless you are
> > actually running
> > sylpheed.  Personally, I lock my session when I'm not
> > at the computer.
> > If I forget, it locks with the screensaver after 10
> > minutes.  That
> > seems like enough security for email password for me, but I
> > also have
> > little exposure to other people physically accessing my
> > computer.
> > 
> > I also use sdm (http://freshmeat.net/projects/sdm) to
> > remember the
> > hundreds of password I seem to need (email web sites,
> > etc.).  I never
> > use the same password for two locations.
> > 
> > 
> > Bob W.
> 
> Bob, I guess you have an idea there with the scripting in Linux.
> 
> You should be able to do that in Windows as well by using gpg and a
> batch file I believe: write your own script.cmd file and put in there
> the commands.  And run it to 1) decrypt and 2) launch Sylpheed
> 
> But I don't know if in Windows you can start gpg in command line with
> parameters, etc.--but I don't see why it wouldn't be possible.
> 
> It would be a bit convoluted as far as an email client is concerned
> and I thought having an optional Master Password feature (like
> Thunderbird has) would be an improvement in security.
> 
> Here's some more info I found:
> 
> <http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html>
> 
> Anyway, I have harped on this issue enough and don't want to wear out
> my welcome....
> 
> Perhaps Hiro will have some comments.

Actually I have received many requests about master password feature.
It will be implemented at some point in the future.

Currently I'm thinking how it should be implemented.
My current idea is:
 - encrypt passwords with AES-128 (or something) with master password
 - accountrc: password=(base64-encoded encrypted password)
              (or encrypt the whole accountrc?)
 - sylpheedrc: use_master_password=0/1

Of course this doesn't prevent someone gaining access to your computer
and take a look at already stored e-mails (they are also stored in plain
text).

-- 
Hiroyuki Yamamoto <hiro-y at kcn.ne.jp>

More information about the Sylpheed mailing list