[imp] imp 2.3.x vs TWIG

Rich Lafferty rich@horde.org
Sat, 27 Jan 2001 19:21:32 -0500


On Sat, Jan 27, 2001 at 09:59:46PM -0200, Alexandre Hautequest (hquest@fesppr.br) wrote:
> On Sat, 27 Jan 2001, Rich Lafferty wrote:
> 
> > Storing a password in a database source might be too insecure for
> > some, especially given users' propensity to reuse passwords. (...)
> 
> So we can use the crypt hability to encrypt/decript ths database stored
> passowrd. I don't think this will be a big limitation, unless the database
> is world-readable.

I suppose you could encrypt the database passwords with the Horde
password. I'm sure there's an attack on that, but it's not coming to
mind immediately.

I've a suspicion that it'll end up better to store them plaintext, on
the assumption that anyone that gets in to read them could also obtain
the information they'd need to decrypt them.

In case it wasn't clear before, I don't think it's a bad idea, I just
think it's something we should make people explicitly enable, rather
than working like that out of the box. I *like* the idea, and it's
probably preferable to the alternative, which is for users to store
their passwords for local POP servers with some entity out of local
control like Hotmail.

  -Rich

-- 
------------------------------ Rich Lafferty ---------------------------
 Sysadmin/Programmer, Instructional and Information Technology Services
   Concordia University, Montreal, QC                 (514) 848-7625
------------------------- rich@alcor.concordia.ca ----------------------