[sylpheed:32955] Re: feature request - master password to protect all account passwords

stef stef_204 at yahoo.com
Sat May 2 03:17:03 JST 2009 


This is definitely a security risk, IMHO.

And seems to emphasize my original point.


--- On Fri, 5/1/09, Bob White <bob at bob-white.com> wrote:

> From: Bob White <bob at bob-white.com>
> Subject: Re: [sylpheed:32953] feature request - master password to protect all account passwords
> To: sylpheed at sraoss.jp
> Cc: stef_204 at yahoo.com, sylpheed at sraoss.jp
> Date: Friday, May 1, 2009, 9:25 AM
> On Fri, 1 May 2009 09:03:03 -0700 (PDT)
> stef <stef_204 at yahoo.com> wrote:
> 
> > 
> > Hi,
> > 
> > I wanted to suggest what I feel would be an important
> feature:  implementing a master password to protect all
> other account/server passwords.
> > 
> > For example, I use quite a few email accounts and all
> are IMAP with SSL.
> > 
> > I cannot remember all the passwords
> "mentally" so I tell Sylpheed to store them for
> me.
> > 
> > However, this leads to a security risk in that anybody
> could theoretically start up my Sylpheed client and download
> and read all my emails, on any accounts, etc.
> > 
> > Mozilla has an excellent counter-measure for this
> security problem in that they have implemented a master
> password that is requested of the user to access any other
> password, or protected email accounts.
> > 
> > This raises the security level.  I believe it is done
> on a "per session" basis.
> > 
> > Sure, I have a user password on my Linux box,so that
> in itself is a security measure; I can lock my Linux session
> as well.
> > 
> > But I wanted to mention this as it is still a concern
> to me, in cases where the other 2 measures do not apply
> (probably through oversight on user's part.)
> > 
> > Are there any other users interested in a "Master
> Password" feature?
> > 
> > Hiro, is it something you might consider adding to
> Sylpheed at some point?  Or perhaps, you consider time is
> better spent on the email features and not on redundant
> security features?
> > 
> > Lastly, are the account passwords currently stored
> with encryption or are they available to see to any snooping
> or prying eyes gaining access to your box (while you're
> at lunch for example) and looking for the exact right file
> where the passwords are stored, etc.?
> > 
> > Thanks.
> > 
> > 
> > 
> > 
> >       
> Hi Stef,
> 
> The passwords are stored in plain text in the
> .sylpheed-2.0/accountrc
> file.
> 
> Bob W.

More information about the Sylpheed mailing list