Hello! I just noticed aerc stores the passwords to my email accounts in its configuration in plain text. Generally this might not be an issue, but its also not that great, is it? Anyway, since I am pushing all my configuration files into a git repository (which is not public obviously), I want to stay save and rather avoid having my email accounts password stored in some online git repository. Is there another way to get the password, eg using pass? Or is there a way to make aerc not storing the password and handle it when launching aerc? Thanks for the great work, and thank you in advance! ~Georg
On Sun Jun 21, 2020 at 12:03 PM EDT, Georg Krause wrote: > I just noticed aerc stores the passwords to my email accounts in its > configuration in plain text. Generally this might not be an issue, > but its also not that great, is it? We prevent your accounts.conf from being readable by other users. If we stored your password locally by any other means, it'd still be recoverable. But you can configure a command to retrieve your password from, like pass(1) - see aerc-imap(5) for details.
Hello, thanks for the pointer! Besides this, I would consider it quite problematic to store the password without encryption and knowledge of the user. There might be no other option as usable default using the account wizzard, but at least a warning and a pointer how to change the password storage might be nice. Have a nice week! ~Georg
We have pointers, it's called the manpage. If you just want to be able to open your email client without having to enter the password all the time that's how it is... All clients have the password in the clear if you save it, the imap protocol requires that. Same for IRC and the likes, heck even telegram or $messenger has a bearer token somewhere which grants you api access once you have it. Don't run untrusted code... if you have malicious code running as your user they can do all kinds of nasty things anyhow.
I don't really talk about running untrusted code but loosing the storage device. It seems like you feel affected. There is no reason, as I wrote in the first mail I do not think its generally problematic to store the password nor did I demand to change it. But let me explain: When using the account setup the user might be just happy everything works, at least this is what I did. I did not read the hole manpage (Yes, this was probably my mistake). But if there was a hint in the setup "Listen, we store your password in a file, you might want to change this, look in the man page" I would have red and used pass in the first place. Anyway, I don't want to start a emotional discussion here, if you have such hard feeling about this, just ignore my proposal. Sorry for the noise and thanks for the great mail client. ~Georg
On Monday, June 22, 2020 9:08 AM, Reto <email@example.com> wrote: > All clients have the password in the clear if you save it Some clients store it in the user system keyring (see libsecret), which is a centralized place where all passwords and tokens are stored and encrypted with the user's login password. See libsecret. However I'm not sure using the keyring would be a good default for aerc, it's a whole new dependency and requires a daemon running.
That's done via dbus no? Drew will kill me if I suggest that ;P
On Monday, June 22, 2020 10:13 AM, Reto <firstname.lastname@example.org> wrote: > That's done via dbus no? Drew will kill me if I suggest that ;P Yes, it's a GNOME thing, so of course it's using D-Bus.