[sylpheed:32958] Re: feature request - master password to protect all account passwords

stef stef_204 at yahoo.com
Sat May 2 23:03:58 JST 2009 

Antonio,
Thanks for your thoughts, eve if I disagree.
I still perceive the fact that Sylpheed stores the account passwords in plain text and inadequate level of security.
I obviously cannot encrypt that file as I don't believe Sylpheed would be able to decrypt them automatically.
Unless I am mistaken.

You say:
> You also know that there are ways to protect your user
> data

OK, which way, as it applies to Sylpheed and the file '.sylpheed-2.0/accountrc'?


--- On Sat, 5/2/09, Antonio Ospite <ospite at studenti.unina.it> wrote:

> From: Antonio Ospite <ospite at studenti.unina.it>
> Subject: [sylpheed:32957] Re: feature request - master password to protect all account passwords
> To: sylpheed at sraoss.jp
> Date: Saturday, May 2, 2009, 1:53 AM
> On Fri, 1 May 2009 11:17:03 -0700 (PDT)
> stef <stef_204 at yahoo.com> wrote:
> 
> > 
> > 
> > This is definitely a security risk, IMHO.
> > 
> > And seems to emphasize my original point.
> >
> 
> Hi,
> 
> As you can guess it is done deliberately, because _you_ as
> a user should
> protect _your_ data, and your email client config is just
> data (let me
> be a bit provocative on this point :)).
> 
> I saw many other softwares which store those
> "user-data" passwords in
> plaintext, I recall a similar discussion for the pidgin IM
> client:
> http://developer.pidgin.im/wiki/PlainTextPasswords
> 
> You also know that there are ways to protect your user
> data, and this
> master password mechanism would be redundant.
> 
> But maybe all those are just arguments posed by lazy coders
> who don't
> want to add such feature to their softwares :P (joking, eh)
> 
> Regards,
>    Antonio
> 
> P.S.: please avoid top-posting, _at_least_ in mailing lists
> :)
> http://en.wikipedia.org/wiki/Posting_style
> 
> > 
> > --- On Fri, 5/1/09, Bob White
> <bob at bob-white.com> wrote:
> > 
> > > From: Bob White <bob at bob-white.com>
> > > Subject: Re: [sylpheed:32953] feature request -
> master password to protect all account passwords
> > > To: sylpheed at sraoss.jp
> > > Cc: stef_204 at yahoo.com, sylpheed at sraoss.jp
> > > Date: Friday, May 1, 2009, 9:25 AM
> > > On Fri, 1 May 2009 09:03:03 -0700 (PDT)
> > > stef <stef_204 at yahoo.com> wrote:
> > > 
> > > > 
> > > > Hi,
> > > > 
> > > > I wanted to suggest what I feel would be an
> important
> > > feature:  implementing a master password to
> protect all
> > > other account/server passwords.
> > > > 
> > > > For example, I use quite a few email
> accounts and all
> > > are IMAP with SSL.
> > > > 
> > > > I cannot remember all the passwords
> > > "mentally" so I tell Sylpheed to store
> them for
> > > me.
> > > > 
> > > > However, this leads to a security risk in
> that anybody
> > > could theoretically start up my Sylpheed client
> and download
> > > and read all my emails, on any accounts, etc.
> > > > 
> > > > Mozilla has an excellent counter-measure for
> this
> > > security problem in that they have implemented a
> master
> > > password that is requested of the user to access
> any other
> > > password, or protected email accounts.
> > > > 
> > > > This raises the security level.  I believe
> it is done
> > > on a "per session" basis.
> > > > 
> > > > Sure, I have a user password on my Linux
> box,so that
> > > in itself is a security measure; I can lock my
> Linux session
> > > as well.
> > > > 
> > > > But I wanted to mention this as it is still
> a concern
> > > to me, in cases where the other 2 measures do not
> apply
> > > (probably through oversight on user's part.)
> > > > 
> > > > Are there any other users interested in a
> "Master
> > > Password" feature?
> > > > 
> > > > Hiro, is it something you might consider
> adding to
> > > Sylpheed at some point?  Or perhaps, you consider
> time is
> > > better spent on the email features and not on
> redundant
> > > security features?
> > > > 
> > > > Lastly, are the account passwords currently
> stored
> > > with encryption or are they available to see to
> any snooping
> > > or prying eyes gaining access to your box (while
> you're
> > > at lunch for example) and looking for the exact
> right file
> > > where the passwords are stored, etc.?
> > > > 
> > > > Thanks.
> > > > 
> > > > 
> > > > 
> > > > 
> > > >       
> > > Hi Stef,
> > > 
> > > The passwords are stored in plain text in the
> > > .sylpheed-2.0/accountrc
> > > file.
> > > 
> > > Bob W.
> > 
> > 
> >       
> 
> 
> -- 
> A: Because it messes up the order in which people normally
> read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> 
>   Web site: http://www.studenti.unina.it/~ospite
> Public key:
> http://www.studenti.unina.it/~ospite/aopubkey.asc

More information about the Sylpheed mailing list