On 5/19/20 5:51 AM, Thomas Walter via mailop wrote: > On 19.05.20 12:01, Jaroslaw Rafa via mailop wrote: >> A shared account by itself is a security loophole. > Why is that? You can perfectly share an account with IMAP4 Access > Control Lists. > > The issue is not the shared account, the issue is a shared password. >
Correct. Most of our shared mailboxes are indeed accessed via mailbox permissions, but some people still choose to set a password on the shared account for reasons; sometimes valid, but sometimes misguided. I guess I was making the logical leap that if the password was in a breach data set, then a password associated with that address exists in the wild. Maybe one of the people with access to that account used the address to sign up for a 3rd party service, and they presumably shared that password with others and made it easy to remember. A typical user may have signed up for multiple 3rd party services using the same password. Hopefully they used a password manager and generated strong unique passwords and shared to their colleagues via the password manager's sharing capabilities. No way to really know unless to ask. Hence why I see value in getting reports like what Abusix is providing. Jesse _______________________________________________ mailop mailing list mailop@mailop.org https://chilli.nosignal.org/cgi-bin/mailman/listinfo/mailop