[sylpheed:32960] Re: feature request - master password to protect all account passwords

Bob White bob at bob-white.com
Sun May 3 00:48:22 JST 2009 

On Sat, 2 May 2009 07:30:51 -0700 (PDT)
stef <stef_204 at yahoo.com> wrote:

> 
> Hi,
> 
> Just a quick summary on this security issue:
> 
> Actually there are 2 issues: a) protect against someone gaining access to Sylpheed by starting it up and doing send/receive.
> b) protect against someone reading .sylpheed-2.0/accountrc
> 
> The only things I can think of for a) are:
> 
> 1) Lock my session if I leave my desk at work; for those whom do not use a Desktop Manager (KDE, Gnome, etc.) but only a Window Manager (fluxbox, Openbox, etc.) it is a bit complicated.
> 
> 2) Protect the .sylpheed-2.0/accountrc file with proper permissions:
> 
> Mine is:
> % ls -l .sylpheed-2.0/accountrc
> -rw------- 1 stef stef 10641 2009-05-01 00:09 .sylpheed-2.0/accountrc
> 
> But the above doesn't help with anyone gaining access as "myself" when my box is running but I am away from my desk.
> 
> 3) Do not store the passwords: not a very good option as I check over 10 accounts and use complex passwords very difficult to remember.  So that would be too inconvenient.
> 
> The model 'passwords behind a password', meaning a master password that would encrypt/decrypt (or a gpg signature) the .sylpheed-2.0/accountrc file and then lets Sylpheed read it would seem to make sense.  But developer efforts to implement need to be considered, as the developer's time might be better served in focusing on email features rather than security features.  Hiro's feedback on this issue would be nice.
> 
> That summarizes my view of this issue.
> 
> Thanks.
> 

To implement a quasi secure accountrc file it would be fairly
straightforward.  Instead of starting sylpheed directly, run a script:
1) decrypt sylpheedrc
2) run sylpheed
3) sylpheed exits -> encrypt sylpheedrc

I'm not sure how to implement this with MS Windows.  Maybe a Windows
expert can tell us. :)

Your account passwords are encrypted unless you are actually running
sylpheed.  Personally, I lock my session when I'm not at the computer.
If I forget, it locks with the screensaver after 10 minutes.  That
seems like enough security for email password for me, but I also have
little exposure to other people physically accessing my computer.

I also use sdm (http://freshmeat.net/projects/sdm) to remember the
hundreds of password I seem to need (email web sites, etc.).  I never
use the same password for two locations.


Bob W.

More information about the Sylpheed mailing list