[sylpheed:32957] Re: feature request - master password to protect all account passwords
Antonio Ospite
ospite at studenti.unina.it
Sat May 2 17:53:33 JST 2009
On Fri, 1 May 2009 11:17:03 -0700 (PDT)
stef <stef_204 at yahoo.com> wrote:
>
>
> This is definitely a security risk, IMHO.
>
> And seems to emphasize my original point.
>
Hi,
As you can guess it is done deliberately, because _you_ as a user should
protect _your_ data, and your email client config is just data (let me
be a bit provocative on this point :)).
I saw many other softwares which store those "user-data" passwords in
plaintext, I recall a similar discussion for the pidgin IM client:
http://developer.pidgin.im/wiki/PlainTextPasswords
You also know that there are ways to protect your user data, and this
master password mechanism would be redundant.
But maybe all those are just arguments posed by lazy coders who don't
want to add such feature to their softwares :P (joking, eh)
Regards,
Antonio
P.S.: please avoid top-posting, _at_least_ in mailing lists :)
http://en.wikipedia.org/wiki/Posting_style
>
> --- On Fri, 5/1/09, Bob White <bob at bob-white.com> wrote:
>
> > From: Bob White <bob at bob-white.com>
> > Subject: Re: [sylpheed:32953] feature request - master password to protect all account passwords
> > To: sylpheed at sraoss.jp
> > Cc: stef_204 at yahoo.com, sylpheed at sraoss.jp
> > Date: Friday, May 1, 2009, 9:25 AM
> > On Fri, 1 May 2009 09:03:03 -0700 (PDT)
> > stef <stef_204 at yahoo.com> wrote:
> >
> > >
> > > Hi,
> > >
> > > I wanted to suggest what I feel would be an important
> > feature: implementing a master password to protect all
> > other account/server passwords.
> > >
> > > For example, I use quite a few email accounts and all
> > are IMAP with SSL.
> > >
> > > I cannot remember all the passwords
> > "mentally" so I tell Sylpheed to store them for
> > me.
> > >
> > > However, this leads to a security risk in that anybody
> > could theoretically start up my Sylpheed client and download
> > and read all my emails, on any accounts, etc.
> > >
> > > Mozilla has an excellent counter-measure for this
> > security problem in that they have implemented a master
> > password that is requested of the user to access any other
> > password, or protected email accounts.
> > >
> > > This raises the security level. I believe it is done
> > on a "per session" basis.
> > >
> > > Sure, I have a user password on my Linux box,so that
> > in itself is a security measure; I can lock my Linux session
> > as well.
> > >
> > > But I wanted to mention this as it is still a concern
> > to me, in cases where the other 2 measures do not apply
> > (probably through oversight on user's part.)
> > >
> > > Are there any other users interested in a "Master
> > Password" feature?
> > >
> > > Hiro, is it something you might consider adding to
> > Sylpheed at some point? Or perhaps, you consider time is
> > better spent on the email features and not on redundant
> > security features?
> > >
> > > Lastly, are the account passwords currently stored
> > with encryption or are they available to see to any snooping
> > or prying eyes gaining access to your box (while you're
> > at lunch for example) and looking for the exact right file
> > where the passwords are stored, etc.?
> > >
> > > Thanks.
> > >
> > >
> > >
> > >
> > >
> > Hi Stef,
> >
> > The passwords are stored in plain text in the
> > .sylpheed-2.0/accountrc
> > file.
> >
> > Bob W.
>
>
>
--
A: Because it messes up the order in which people normally read text.
Q: Why is top-posting such a bad thing?
A: Top-posting.
Q: What is the most annoying thing in e-mail?
Web site: http://www.studenti.unina.it/~ospite
Public key: http://www.studenti.unina.it/~ospite/aopubkey.asc
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 197 bytes
Desc: not available
Url : http://www.sraoss.jp/pipermail/sylpheed/attachments/20090502/9e07db5f/attachment.bin
More information about the Sylpheed
mailing list