On Fri, 15 Mar 2002, Jason Badry wrote: > It isn't my intention to offend either of you, as Xmail and Xmail-WAI are > great programs. My focus is more on security, and I do in fact have a > firewall with VPN and am somewhat knowledgable about the various > encryptions/etc. No matter how secure a system is, or I think it is, I > just always have a concern with passwords stored in any file > plain-text. It is difficult to feel 100% confident that nobody will ever > get access to that file, and then if the people with those passwords reused > them anywhere, it could open many other doors. > > I was previously using QPopper with sasl and apop configured in > Linux. Now, I was quite happy to see your Win2K implementations, and this > is why I switched over. QPopper did have an option to force users to use > APOP or other methods, so I was inquiring about this. Perhaps in a future > release it might be an option to consider. > > Now I understand your responses and there are reasons for the plain-text at > this time. I would encourage you and others though to use hashes as you > have in Xmail if possible, but always try and avoid leaving passwords in > files, no matter how secure the file system appears. You just never know > what Microsoft/other vulnerability will show up next.
Hashes are one way algos, i cannot use them to store passwords because i need to retrieve the clear text one. I could use encryption to store them ( i mean an encryption more strong than the stupid xor ) but if : 1) you setup file/dir permissions correctly and 2) someone is still able to crack the OS to get aceess to the file this someone will very likely be able to use a debugger to retrieve the used algo and/or encryption keys. Since Xmail needs clear text passwords, it cannot be stronger the the OS it's relying on ... - Davide - To unsubscribe from this list: send the line "unsubscribe xmail" in the body of a message to [EMAIL PROTECTED] For general help: send the line "help" in the body of a message to [EMAIL PROTECTED]
