I noticed in the latest version of Althea, you have
started obfuscating the user's password when it is
stored in the file in their HOME directory.
This is still very insecure handling of user passwords
expecially in an environment like ours, where all of
the home directories are shared among many computers
via NFS and SMB. Requiring the storage of login
passwords on disk without strong encryption is a
security nightmare and is the only thing stopping me
from installing Althea on our network.
Now, to get to my feature request. Would it be too
difficult to make the password disk-storage a
compile-time option or even a configuration option,
making the alternative a simple pop-up prompt for the
password when the program first connects to any IMAP
server, then storing passwords in memory only for the
life of the althea process. This is how Pine, Eudora,
Netscape, and many other IMAP clients work, and it is
much more secure...
-- Brian Powell
Senior Systems Manager,
The Ohio Supercomputer Center
Log in to post a comment.