[Users] [Bug 3283] New: Encryption scheme for storing email password locally has to be revisited

noreply at thewildbeast.co.uk noreply at thewildbeast.co.uk
Fri Sep 12 17:13:09 CEST 2014


http://www.thewildbeast.co.uk/claws-mail/bugzilla/show_bug.cgi?id=3283

            Bug ID: 3283
           Summary: Encryption scheme for storing email password locally
                    has to be revisited
    Classification: Unclassified
           Product: Claws Mail
           Version: 3.10.1
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: critical
          Priority: P3
         Component: Other
          Assignee: users at lists.claws-mail.org
          Reporter: phrackmod at gmail.com

Encryption scheme applied on the email account password before storing it
locally in ~/.claws-mail/accountrc seems too simple to crack. The Key used to
encrypt the password is hardcoded in clear text in the source code
(src/common/password.h). 

A random master passkey could be generated and stored in the main binary file
during the compile and build phase. This key could be further used to perform
any encryptions on the email password. This is just a suggestion. Think you
could come up with something little more secure.

I hope you take this seriously since i really hate to see that someone in
access to my system could get to know my email password in just a few seconds
just because of Claws-mail.

-- 
You are receiving this mail because:
You are the assignee for the bug.



More information about the Users mailing list