storing password lists in mails to myself on IMAP?

Nomen Nescio nobody at dizum.com
Fri Feb 16 20:10:02 CET 2007


Robert J. Hansen wrote:

> > Maybe you should think things through, or God forbid even run a
> > few tests or something before puffing your chest there Robert.
> > Especially when you're in the unenviable position of potentialy
> > being your own proof of concept.
> 
> I don't know why you have such an allergy to being shown wrong.  Or  
> why you think I do.
> 
> It works like this: if you can find me a commonly-used IMAP client  
> that's this stupid, then I will welcome being shown wrong.  And  
> really, why shouldn't I?  Being wrong isn't the end of the world.

Well Robert, unless you care to further debase yourself by trying to
argue the Thunderbird isn't a "commonly-used IMAP client" you've
been handed the very example you're harping  about. By two different
people no less.

It was in the part you snipped and ignored, in case you were wondering.

The bottom line is this: There's probably a lot of IMAP clients out
there that will by default or design write portions or whole copies
of unencrypted text to a server. It really doesn't take a boat load
of IQ points to realize this is the nature of IMAP.

Storing pass phrases in email at all is bad idea for a number of
reasons. You don't have many clues what a client does with it when it's
open for one. The odds you'll inadvertantly click where you shouldn't
and send an unencrypted copy some place you don't want it to go
increase dramatically too. Likewise the chances of corruption or
compromise at the hands of some script kiddie.

If we invested a little thought in the project though we could
probably come up with a few dozen reasons why mailing passwords about
is a bad idea even if you have absolute control over the hardware at
the end points of the encryption, let ALONE any scenario where you
can't guarantee they won't be written to hardware you don't own. In the
clear. :-(




More information about the Gnupg-users mailing list