Bug 3283 - Encryption scheme for storing email password locally
Summary: Encryption scheme for storing email password locally
Status: RESOLVED FIXED
Alias: None
Product: Claws Mail (GTK 2)
Classification: Unclassified
Component: Other (show other bugs)
Version: 3.10.1
Hardware: PC Linux
: P3 enhancement
Assignee: users
URL:
Depends on:
Blocks:
 
Reported: 2014-09-12 17:13 UTC by phrackmod
Modified: 2016-08-08 11:06 UTC (History)
0 users

See Also:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description phrackmod 2014-09-12 17:13:09 UTC 
Encryption scheme applied on the email account password before storing it locally in ~/.claws-mail/accountrc seems too simple to crack. The Key used to encrypt the password is hardcoded in clear text in the source code (src/common/password.h). 

A random master passkey could be generated and stored in the main binary file during the compile and build phase. This key could be further used to perform any encryptions on the email password. This is just a suggestion. Think you could come up with something little more secure.

I hope you take this seriously since i really hate to see that someone in access to my system could get to know my email password in just a few seconds just because of Claws-mail.
Comment 1 Paul 2014-09-12 17:58:05 UTC 
It was never meant to be more than simple obfuscation.
Comment 2 Jeremy 2014-09-12 19:26:24 UTC 
I would also appreciate this feature if someone ever wanted to code it.

That said - in lieu of this feature, hard drive encryption may be prudent for anyone who needs email security.
Comment 3 Andrej Kacian 2016-08-08 11:06:16 UTC 
A stronger encryption for all passwords is now in place.
Note You need to log in before you can comment on or make changes to this bug.