[sylpheed:32959] Re: feature request - master password to protect all account passwords

stef stef_204 at yahoo.com
Sat May 2 23:30:51 JST 2009 

Hi,

Just a quick summary on this security issue:

Actually there are 2 issues: a) protect against someone gaining access to Sylpheed by starting it up and doing send/receive.
b) protect against someone reading .sylpheed-2.0/accountrc

The only things I can think of for a) are:

1) Lock my session if I leave my desk at work; for those whom do not use a Desktop Manager (KDE, Gnome, etc.) but only a Window Manager (fluxbox, Openbox, etc.) it is a bit complicated.

2) Protect the .sylpheed-2.0/accountrc file with proper permissions:

Mine is:
% ls -l .sylpheed-2.0/accountrc
-rw------- 1 stef stef 10641 2009-05-01 00:09 .sylpheed-2.0/accountrc

But the above doesn't help with anyone gaining access as "myself" when my box is running but I am away from my desk.

3) Do not store the passwords: not a very good option as I check over 10 accounts and use complex passwords very difficult to remember.  So that would be too inconvenient.

The model 'passwords behind a password', meaning a master password that would encrypt/decrypt (or a gpg signature) the .sylpheed-2.0/accountrc file and then lets Sylpheed read it would seem to make sense.  But developer efforts to implement need to be considered, as the developer's time might be better served in focusing on email features rather than security features.  Hiro's feedback on this issue would be nice.

That summarizes my view of this issue.

Thanks.

--- On Sat, 5/2/09, Antonio Ospite <ospite at studenti.unina.it> wrote:

> From: Antonio Ospite <ospite at studenti.unina.it>
> Subject: [sylpheed:32957] Re: feature request - master password to protect all account passwords
> To: sylpheed at sraoss.jp
> Date: Saturday, May 2, 2009, 1:53 AM
> On Fri, 1 May 2009 11:17:03 -0700 (PDT)
> stef <stef_204 at yahoo.com> wrote:
> 
> > 
> > 
> > This is definitely a security risk, IMHO.
> > 
> > And seems to emphasize my original point.
> >
> 
> Hi,
> 
> As you can guess it is done deliberately, because _you_ as
> a user should
> protect _your_ data, and your email client config is just
> data (let me
> be a bit provocative on this point :)).
> 
> I saw many other softwares which store those
> "user-data" passwords in
> plaintext, I recall a similar discussion for the pidgin IM
> client:
> http://developer.pidgin.im/wiki/PlainTextPasswords
> 
> You also know that there are ways to protect your user
> data, and this
> master password mechanism would be redundant.
> 
> But maybe all those are just arguments posed by lazy coders
> who don't
> want to add such feature to their softwares :P (joking, eh)
> 
> Regards,
>    Antonio
> 
> P.S.: please avoid top-posting, _at_least_ in mailing lists
> :)
> http://en.wikipedia.org/wiki/Posting_style
> 
> > 
> > --- On Fri, 5/1/09, Bob White
> <bob at bob-white.com> wrote:
> > 
> > > From: Bob White <bob at bob-white.com>
> > > Subject: Re: [sylpheed:32953] feature request -
> master password to protect all account passwords
> > > To: sylpheed at sraoss.jp
> > > Cc: stef_204 at yahoo.com, sylpheed at sraoss.jp
> > > Date: Friday, May 1, 2009, 9:25 AM
> > > On Fri, 1 May 2009 09:03:03 -0700 (PDT)
> > > stef <stef_204 at yahoo.com> wrote:
> > > 
> > > > 
> > > > Hi,
> > > > 
> > > > I wanted to suggest what I feel would be an
> important
> > > feature:  implementing a master password to
> protect all
> > > other account/server passwords.
> > > > 
> > > > For example, I use quite a few email
> accounts and all
> > > are IMAP with SSL.
> > > > 
> > > > I cannot remember all the passwords
> > > "mentally" so I tell Sylpheed to store
> them for
> > > me.
> > > > 
> > > > However, this leads to a security risk in
> that anybody
> > > could theoretically start up my Sylpheed client
> and download
> > > and read all my emails, on any accounts, etc.
> > > > 
> > > > Mozilla has an excellent counter-measure for
> this
> > > security problem in that they have implemented a
> master
> > > password that is requested of the user to access
> any other
> > > password, or protected email accounts.
> > > > 
> > > > This raises the security level.  I believe
> it is done
> > > on a "per session" basis.
> > > > 
> > > > Sure, I have a user password on my Linux
> box,so that
> > > in itself is a security measure; I can lock my
> Linux session
> > > as well.
> > > > 
> > > > But I wanted to mention this as it is still
> a concern
> > > to me, in cases where the other 2 measures do not
> apply
> > > (probably through oversight on user's part.)
> > > > 
> > > > Are there any other users interested in a
> "Master
> > > Password" feature?
> > > > 
> > > > Hiro, is it something you might consider
> adding to
> > > Sylpheed at some point?  Or perhaps, you consider
> time is
> > > better spent on the email features and not on
> redundant
> > > security features?
> > > > 
> > > > Lastly, are the account passwords currently
> stored
> > > with encryption or are they available to see to
> any snooping
> > > or prying eyes gaining access to your box (while
> you're
> > > at lunch for example) and looking for the exact
> right file
> > > where the passwords are stored, etc.?
> > > > 
> > > > Thanks.
> > > > 
> > > > 
> > > > 
> > > > 
> > > >       
> > > Hi Stef,
> > > 
> > > The passwords are stored in plain text in the
> > > .sylpheed-2.0/accountrc
> > > file.
> > > 
> > > Bob W.
> > 
> > 
> >       
> 
> 
> -- 
> A: Because it messes up the order in which people normally
> read text.
> Q: Why is top-posting such a bad thing?
> A: Top-posting.
> Q: What is the most annoying thing in e-mail?
> 
>   Web site: http://www.studenti.unina.it/~ospite
> Public key:
> http://www.studenti.unina.it/~ospite/aopubkey.asc

More information about the Sylpheed mailing list