On 2025-01-07 at 17:32 +0100, Jaroslaw Rafa wrote: > Dnia 7.01.2025 o godz. 16:10:32 Louis via mailop pisze: > > think that's the beauty of email. You do not have control over how a client > > stores a password, this is just one of the reasons I enforce ASPs. Your > > point 1 > > and 2 are also true, and in my mind they cancel each other out regarding > > risk in > > this case. I don't have the statistics at hand, but my gut tells me device > > compromises happen much more often than Google leaking plaintext passwords. > > I think it's a stupid choice to store a password in an email client (of > course I'm aware people do this for convenience - which leads in straight > way to them forgetting their password, as they don't use it). I always > advise against doing it, and instead just typing the password everytime one > launches the email client and it asks for password.
Well, I completely disagree with you. 😉 First of all, it's not realistic to expect users to do that. Second, even less so if you have a bunch of accounts, so you might need to provide dozens of passwords each time you open your email client. Third, if the email client saves the password, I might use as password dQLB9Lh3l6$".5p%;ZA26g@=fl3NHc>F[rH;kR5iIwB)fUu*#= whereas needing to type it daily will lead to choosing something more... memorable. Forgetting the password is not a problem as long as you have it properly saved in your password manager. Admittedly, once in a blue moon you might need to use that password to configure something in e.g. a webmail. That's only slightly annoying if the decides not to allow pasting (or, worse, fails mysteriously when pasted). Of course, it may be preferable to use a certificate for authentication, but I don't know of providers actually offering that (and most end users would be unable to configure that), and the private certificate could still be stolen (unless you _also_ expect an external hardware module). I do think that enforcing Application Specific Passwords is a good solution to the problem, and requiring no client-side changes, unlike OAuth, where not many clients support it, and for those that do, many do so only for specific providers. Regards _______________________________________________ mailop mailing list mailop@mailop.org https://list.mailop.org/listinfo/mailop
