[Users] Migrating account authentication from basic POP to OAuth2
Paul Rolland
rol at witbe.net
Wed Dec 21 10:55:45 UTC 2022
Hello,
On Wed, 21 Dec 2022 10:41:28 -0000
Paul <paul at claws-mail.org> wrote:
> > No, I mean "basic authentication with POP3", the "legacy one" that was
> > defined in POP3 RFC (User xxx, Pass yyy).
>
> OK. But, of course, you've been using TLS to secure your log-in up to now.
Of course.
> There seemed to be a subtext to your original, as if you were somehow
> improving your security by switching to oauth2, when using a username and
> password with TLS is no less secure than oauth2.
Well, there is some kind of subtext, but I'm not responsible of it. This
migration is mandatory per Microsoft decision:
https://learn.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
"On September 1, 2022, we announced there will be one final opportunity to
postpone this change. Tenants will be allowed to re-enable a protocol once
between October 1, 2022 and December 31, 2022. Any protocol exceptions or
re-enabled protocols will be turned off early in January 2023, with no
possibility of further use. "
This has been announced some time ago, they have already offered twice the
possibility to continue using basic auth. but now, end of '22 is a hard
deadline, and I see no way to continue using basic auth. in '23 (even if
the communication is secured with TLS).
> There always seems to be this subtext, that somehow oauth2 is more secure,
> being stressed, and not enough refuting of it. If you use "12345" or
> similar weak passwords, and you reuse those passwords across all your
> log-ins then, yes, oauth2 can help. But no-one in their right mind would
> do that. In my view, it is always better to educate than secure people in
> their ignorance.
My passwords are longer than that, and they are made of characters picked
up in lower, upper, number, symbols, ... I'm also using MFA wherever
possible. So no, I'm not switching to OAuth2 because of so-called security
considerations, but because some company has decided that it was better
than some other mechanisms and is imposing its view.
Best,
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 659 bytes
Desc: OpenPGP digital signature
URL: <http://lists.claws-mail.org/pipermail/users/attachments/20221221/dc4ec78f/attachment.sig>
More information about the Users
mailing list