[prev in list] [next in list] [prev in thread] [next in thread] 

List:       kmail-devel
Subject:    Saving of passwords (Was: Security status)
From:       Waldo Bastian <bastian () suse ! de>
Date:       2000-02-06 19:42:38
[Download RAW message or body]

>    Q: How are saved passwords protected?
>    Passwords should be saved on disk only when the user explicitly
> says so. If the user later deactivates the function to save the
> password, an already saved password should dissappear from the
> configuration files.
>
>    A: Passwords are saved in the KMail config file, i.e.
>    ~/.kde/share/config/kmailrc. They are not saved as plain text but
>    "encrypted" with a simple scrambling algorithm - encrypting these
>    passwords in a really secure way is impossible. So your passwords
> are protected mainly by the permissions of your .kde directory, which
> should be set to -rwx------.
>
>    If you deselect the "store password" option, the password to that
>    account is deleted as soon as you close the "Configure Account"
> dialog (KMAccountSettings::accept()).
>
>    If you delete an account, the information (including the password)
>    stays in the configuration file (this is a bug). (dnaber,
> 2000-02-04)

For practical purposes I have my ~/.kde/share/config/ directory 
world-readable. The permission of config files is determined by the 
umask settings, which usually results in something like "-rwxr--r--".
It would be good practice to store passwords in a seperate file (e.g. 
~/.kde/share/apps/kmail/passwords) and to make sure that this file has 
permissions set to 0600.

Cheers,
Waldo

[prev in list] [next in list] [prev in thread] [next in thread]