[sylpheed:32961] Re: feature request - master password to protect all account passwords
stef
stef_204 at yahoo.com
Sun May 3 02:31:29 JST 2009
--- On Sat, 5/2/09, Bob White <bob at bob-white.com> wrote:
> From: Bob White <bob at bob-white.com>
> Subject: Re: [sylpheed:32959] Re: feature request - master password to protect all account passwords
> To: sylpheed at sraoss.jp
> Cc: stef_204 at yahoo.com, sylpheed at sraoss.jp
> Date: Saturday, May 2, 2009, 8:48 AM
> On Sat, 2 May 2009 07:30:51 -0700 (PDT)
> stef <stef_204 at yahoo.com> wrote:
>
> >
> > Hi,
> >
> > Just a quick summary on this security issue:
> >
> > Actually there are 2 issues: a) protect against
> someone gaining access to Sylpheed by starting it up and
> doing send/receive.
> > b) protect against someone reading
> .sylpheed-2.0/accountrc
> >
> > The only things I can think of for a) are:
> >
> > 1) Lock my session if I leave my desk at work; for
> those whom do not use a Desktop Manager (KDE, Gnome, etc.)
> but only a Window Manager (fluxbox, Openbox, etc.) it is a
> bit complicated.
> >
> > 2) Protect the .sylpheed-2.0/accountrc file with
> proper permissions:
> >
> > Mine is:
> > % ls -l .sylpheed-2.0/accountrc
> > -rw------- 1 stef stef 10641 2009-05-01 00:09
> .sylpheed-2.0/accountrc
> >
> > But the above doesn't help with anyone gaining
> access as "myself" when my box is running but I am
> away from my desk.
> >
> > 3) Do not store the passwords: not a very good option
> as I check over 10 accounts and use complex passwords very
> difficult to remember. So that would be too inconvenient.
> >
> > The model 'passwords behind a password',
> meaning a master password that would encrypt/decrypt (or a
> gpg signature) the .sylpheed-2.0/accountrc file and then
> lets Sylpheed read it would seem to make sense. But
> developer efforts to implement need to be considered, as the
> developer's time might be better served in focusing on
> email features rather than security features. Hiro's
> feedback on this issue would be nice.
> >
> > That summarizes my view of this issue.
> >
> > Thanks.
> >
>
> To implement a quasi secure accountrc file it would be
> fairly
> straightforward. Instead of starting sylpheed directly,
> run a script:
> 1) decrypt sylpheedrc
> 2) run sylpheed
> 3) sylpheed exits -> encrypt sylpheedrc
>
> I'm not sure how to implement this with MS Windows.
> Maybe a Windows
> expert can tell us. :)
>
> Your account passwords are encrypted unless you are
> actually running
> sylpheed. Personally, I lock my session when I'm not
> at the computer.
> If I forget, it locks with the screensaver after 10
> minutes. That
> seems like enough security for email password for me, but I
> also have
> little exposure to other people physically accessing my
> computer.
>
> I also use sdm (http://freshmeat.net/projects/sdm) to
> remember the
> hundreds of password I seem to need (email web sites,
> etc.). I never
> use the same password for two locations.
>
>
> Bob W.
Bob, I guess you have an idea there with the scripting in Linux.
You should be able to do that in Windows as well by using gpg and a batch file I believe: write your own script.cmd file and put in there the commands. And run it to 1) decrypt and 2) launch Sylpheed
But I don't know if in Windows you can start gpg in command line with parameters, etc.--but I don't see why it wouldn't be possible.
It would be a bit convoluted as far as an email client is concerned and I thought having an optional Master Password feature (like Thunderbird has) would be an improvement in security.
Here's some more info I found:
<http://luxsci.com/blog/master-password-encryption-in-firefox-and-thunderbird.html>
Anyway, I have harped on this issue enough and don't want to wear out my welcome....
Perhaps Hiro will have some comments.
More information about the Sylpheed
mailing list