There is no way for an end user to retrieve the password stored for access to remote pop/msa servers.
Yes, giving us the password does increase the overall attack surface for the password. Given the general issues with password hijacking, the addition is fairly minor. If your service is small enough that you don't need to perform a complicated evaluation of whether it's actually the user giving you the correct password... I guess you're either lucky or providing poor stewardship for your user's data. If providing your password to another service is illegal, clearly don't do it. If you're worried that governments can ask us for your password, I have no idea if they've done so, but that is likely a valid concern. If you think some government is hoovering up that data from us, nothing I say is likely to change your beliefs. There's probably an obligatory xkcd or two to end this conversation with. Security is a spectrum, not an absolute. At some point, it gives way to getting shit done. Brandon On Fri, Feb 10, 2017 at 4:28 AM, Philip Paeps <phi...@trouble.is> wrote: > On 2017-02-10 12:14:05 (+0100), Klaus Ethgen <klaus+mai...@ethgen.de> > wrote: > > Am Do den 9. Feb 2017 um 21:25 schrieb John Levine: > > > >I never understand why users won't just collect mail from the 'proper' > > > >mail server rather than having to forward it all to gmail/hotmail. A > > > >large portion of our support issues are to do with this forwarding. > > > > > > Bad reason: setting up POP collection takes two minutes, while adding a > > > forward only takes 15 seconds. > > > > > > Better reason: POP polling can add noticable delays to your mail, and > > > most places don't let you set the polling schedule. > > > > Much better reason: > > > > We teach people to not give their passwords away and now you want them > > to give them to google? WTF? > > > > Never, never ever tell that to your users. Forward is the better idea > > for that. Sure, you have to handle the spam yourself. > > We are drifting a bit from mailop-appropriate topics but: > > This can be easily mitigated by deploying single-use passwords. Users > need to be encouraged to set up two-factor authentication everywhere and > pretty much all two-factor authentication schemes allow for setting up > what are often called "application passwords" precisely for this kind of > usecase. > > Don't say: "just give Google your password" but do say: "please generate > a password for Google". > > Security is hard. > > Philip > > -- > Philip Paeps > Senior Reality Engineer > Ministry of Information > > _______________________________________________ > mailop mailing list > mailop@mailop.org > https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop >
_______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop
