~sircmpwn/aerc

7 4

Password for accounts

Georg Krause
Details
Message ID
<C3MU4GGJCDJD.N3PHFQOXCSYR@alfi-junior>
DKIM signature
missing
Download raw message
Hello!

I just noticed aerc stores the passwords to my email accounts in its configuration in plain text.
Generally this might not be an issue, but its also not that great, is it?

Anyway, since I am pushing all my configuration files into a git repository (which is not public
obviously), I want to stay save and rather avoid having my email accounts password stored in some
online git repository.

Is there another way to get the password, eg using pass? Or is there a way to make aerc not storing
the password and handle it when launching aerc?

Thanks for the great work, and thank you in advance!

~Georg
Details
Message ID
<C3MU6RT90ATX.3878LZV3B4YX6@homura>
In-Reply-To
<C3MU4GGJCDJD.N3PHFQOXCSYR@alfi-junior> (view parent)
DKIM signature
pass
Download raw message
On Sun Jun 21, 2020 at 12:03 PM EDT, Georg Krause wrote:
> I just noticed aerc stores the passwords to my email accounts in its
> configuration in plain text.  Generally this might not be an issue,
> but its also not that great, is it?

We prevent your accounts.conf from being readable by other users. If we
stored your password locally by any other means, it'd still be
recoverable.

But you can configure a command to retrieve your password from, like
pass(1) - see aerc-imap(5) for details.
Georg Krause
Details
Message ID
<C3NFFAYVITRQ.34HAEKB6YXRH6@alfi-junior>
In-Reply-To
<C3MU6RT90ATX.3878LZV3B4YX6@homura> (view parent)
DKIM signature
missing
Download raw message
Hello,

thanks for the pointer!

Besides this, I would consider it quite problematic to store the password without encryption and
knowledge of the user. There might be no other option as usable default using the account wizzard,
but at least a warning and a pointer how to change the password storage might be nice.

Have a nice week!

~Georg
Details
Message ID
<51806F66-A684-4774-A102-534E4D382F04@labrat.space>
In-Reply-To
<C3NFFAYVITRQ.34HAEKB6YXRH6@alfi-junior> (view parent)
DKIM signature
pass
Download raw message
We have pointers, it's called the manpage.

If you just want to be able to open your email client without having to enter the password all the time that's how it is...

All clients have the password in the clear if you save it, the imap protocol requires that.

Same for IRC and the likes, heck even telegram or $messenger has a bearer token somewhere which grants you api access once you have it.

Don't run untrusted code... if you have malicious code running as your user they can do all kinds of nasty things anyhow.
Georg Krause
Details
Message ID
<C3NFY85AWHDN.1DMPAXL01R08P@alfi-junior>
In-Reply-To
<51806F66-A684-4774-A102-534E4D382F04@labrat.space> (view parent)
DKIM signature
missing
Download raw message
I don't really talk about running untrusted code but loosing the storage device.

It seems like you feel affected. There is no reason, as I wrote in the first mail I do not think its
generally problematic to store the password nor did I demand to change it.

But let me explain: When using the account setup the user might be just happy everything works, at
least this is what I did. I did not read the hole manpage (Yes, this was probably my mistake). But
if there was a hint in the setup "Listen, we store your password in a file, you might want to change
this, look in the man page" I would have red and used pass in the first place. 

Anyway, I don't want to start a emotional discussion here, if you have such hard feeling about this,
just ignore my proposal. Sorry for the noise and thanks for the great mail client.

~Georg
Details
Message ID
<d18YfRD_J-smXD10At7Yubem31Do7N4g4C-4_4XgAsG7CGVBtQx2b7iptmPwWORihBuJpqCTjP2jFRPOxio0cOpAtV_rZDZC7DVdy6XdWac=@emersion.fr>
In-Reply-To
<51806F66-A684-4774-A102-534E4D382F04@labrat.space> (view parent)
DKIM signature
pass
Download raw message
On Monday, June 22, 2020 9:08 AM, Reto <reto@labrat.space> wrote:

> All clients have the password in the clear if you save it

Some clients store it in the user system keyring (see libsecret), which
is a centralized place where all passwords and tokens are stored and
encrypted with the user's login password. See libsecret.

However I'm not sure using the keyring would be a good default for
aerc, it's a whole new dependency and requires a daemon running.
Details
Message ID
<038FA4DA-9E52-489F-B263-E7F26289F543@labrat.space>
In-Reply-To
<d18YfRD_J-smXD10At7Yubem31Do7N4g4C-4_4XgAsG7CGVBtQx2b7iptmPwWORihBuJpqCTjP2jFRPOxio0cOpAtV_rZDZC7DVdy6XdWac=@emersion.fr> (view parent)
DKIM signature
pass
Download raw message
That's done via dbus no? Drew will kill me if I suggest that ;P
Details
Message ID
<CZtlSBBSdIJh0n1uiClYhTqiwt-WtUle0aSP3lH81H-kGBG-BbxRUx3zv_dG3HgkgZlYr-ldTFlKjm3JvUu2SwfnfqGPD-ZHNki7Ra18o1s=@emersion.fr>
In-Reply-To
<038FA4DA-9E52-489F-B263-E7F26289F543@labrat.space> (view parent)
DKIM signature
pass
Download raw message
On Monday, June 22, 2020 10:13 AM, Reto <reto@labrat.space> wrote:

> That's done via dbus no? Drew will kill me if I suggest that ;P

Yes, it's a GNOME thing, so of course it's using D-Bus.
Export thread (mbox)