We need to be able to access the passwords for the SMTP / IMAP accounts, since we will need to send them to the SMTP / IMAP servers to authenticate, therefore, hashing the passwords is not sufficient.
I think a good thing could be is to use the user's chouette password to compute a private key to encrypt its SMTP / IMAP passwords so that:
when the user connects, we decrypt its accounts passwords and store them somewhere (maybe in the session)
no passwords are not stored in clear in the database
if the database leaks, the attacker can't retrieve the chouette passwords of the users because they're hashed, and they can't retrieve the SMTP / IMAP passwords because they would need the chouette password
We need to be able to access the passwords for the SMTP / IMAP accounts, since we will need to send them to the SMTP / IMAP servers to authenticate, therefore, hashing the passwords is not sufficient.
I think a good thing could be is to use the user's chouette password to compute a private key to encrypt its SMTP / IMAP passwords so that: