Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Encrypt passwords for mail accounts #1

Open
tforgione opened this issue Jan 17, 2019 · 0 comments
Open

Encrypt passwords for mail accounts #1

tforgione opened this issue Jan 17, 2019 · 0 comments
Labels
security There's a security vulnerability

Comments

@tforgione
Copy link
Member

We need to be able to access the passwords for the SMTP / IMAP accounts, since we will need to send them to the SMTP / IMAP servers to authenticate, therefore, hashing the passwords is not sufficient.

I think a good thing could be is to use the user's chouette password to compute a private key to encrypt its SMTP / IMAP passwords so that:

  • when the user connects, we decrypt its accounts passwords and store them somewhere (maybe in the session)
  • no passwords are not stored in clear in the database
  • if the database leaks, the attacker can't retrieve the chouette passwords of the users because they're hashed, and they can't retrieve the SMTP / IMAP passwords because they would need the chouette password
@tforgione tforgione added the security There's a security vulnerability label Jan 17, 2019
@tforgione tforgione mentioned this issue Jan 26, 2019
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
security There's a security vulnerability
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tforgione