Menu
▾
▴
Re: [Fetchmail-users] Fetchmail without passwords in plaintext file?
|
From: Gene H. <ghe...@sh...> - 2018-12-12 16:17:37
|
On Wednesday 12 December 2018 08:07:05 Bjoern Voigt wrote: > Matthias Andree wrote: > > Regarding plaintext password storage, you don't have to, but > > fetchmail had originally been written for end-user consumption and > > not high-grade datacenter use. > > Yes, you know the historical requirements for Fetchmail. But how you > think now about unencrypted passwords in Fetchmail? > > I think, that datacenters are much more secured than mobile devices > (e.g. laptops) of average Linux users. Also SOHO servers, NAS devices > are often not secured very good. > > Of course, long-term Linux users (I also started 1996) may still > think, that unencrypted passwords in a file with -rw------- > permissions are "safe enough". In fact this is somehow true for > multi-user computers in secure locations where normal users have no > root rights and where the root users are trustworthy. > > But do we still have to discuss about unencrypted passwords at the end > of 2018? Auditors could laugh at us. > They may do worse than that, but its the mail server admins at your ISP which will have to push for it to gain any real traction. Welcome to the facts of life. :) Besides, in transit, its still clear text to those that want to spoof it, all they have to do is copy it in passing so there will be no difference in the security level until the isp's server sends the encryption std the client is to use today, and rotates it frequently. Daily might be reasonable, hourly would tend to load up the server with 10000 accounts. Even that, to a determined hacker is only a minor problem and we all know it. [...] Take care Björn -- Cheers, Gene Heskett -- "There are four boxes to be used in defense of liberty: soap, ballot, jury, and ammo. Please use in that order." -Ed Howdershelt (Author) Genes Web page <http://geneslinuxbox.net:6309/gene> |
