I am just reflecting about a little security problem
and maybe someone knows a solution:
There is a web server, access over https, protected with
one time passwords. When you login you get access to
squirrelmail. The server is intended to give the users
access to email from internet cafes and other untrusted
computers. That's why it uses one time passwords, since
such computers always are suspected of being compromised and
might have things like keyloggers.
Reading e-mail with squirrelmail requires a second login
with the IMAP username and userpassword. But now, the same
user and password database the IMAP server make use of (LDAP)
is intended to be used for other purposes, and now it is
risky if passwords are caught by keyloggers.
Any idea how to circumvent entering the IMAP password
for squirrelmail but still being secure?
(User was already authenticated before)