Encrypt password

[benmezger]

I don't feel comfortable having my password raw in a file, is there any method to encrypt it?

[notalex]

Currently there is no solution for encrypting passwords. I prefer to not keep my password in the config file and instead enter it every time I start Vmail.

[benmezger]

Yes, there is this possibility too, though it annoys me a bit. I didn't have time to check the source yet, has vmail ever tried to implement a password hash that perhaps it can decrypt it itself before sending to Google? Was this possibility ever thought about it? (maybe it sounds stupid, but afaik that's how Weechat does it). Just a brainstorm. Doesn't Google have a password encryption API or something? A server side part.

[notalex]

Q) Should Vmail be modified to accept an encrypted password, which it decrypts before sending it to Gmail?

Since this has to be a two way encryption, anyone who gets a hold of your encrypted password can easily decrypt it using Vmail source. This will be as unsafe as using plain text passwords, IMHO.

Q) Will Google accept encrypted password?

AFAIK, Google does not have a password encryption api. If everyone had access to the encrypted password pattern that Google uses, it would be easy to reverse engineer the algorithm used for encryption.

I can think of two ways to solve this problem:

1) Modify Vmail to accept password as an environment variable, which should be easy to do. There are several password managing utilities that provide you access to stored passwords using a commandline api(for e.g. lastpass). One could then start Vmail with a command that sets the environment variable from the password managing software like so:

  VMAIL_PASSWORD=$(some_password_manager get vmail) vmail

2) Modify Vmail to use Google's oauth2 authentication. I am not sure about how difficult implementing this would be, but it seems like an ideal solution.

[benmezger]

@notalex Sorry, I re-read what I said, it didn't make any sense, I was in a hurry, instead of editing, I will clarify it here. Decrypting the hashed password with Vmail seems fair, I didn't think about the possibility of hacking it through reverse eng. using Vmail. Silly me. Though, I am interested how Weechat does it -> http://dev.weechat.org/tag/password

About Google API, I had a laugh about it, it was very silly, what I actually meant, was, if Google provided OAuth tokens. I understand that someone could easily steal my token and use it for their purpose, but honestly, I rather have my token stolen than my password. As you already answered, I am not sure either, as I said, I didn't have the time to check Vmail's source, but I guess you could set the Oauth2 and query it using Google's API (Imap or whatever) with the token, no? I could be wrong, never dealt with such a problem.

I think using Oauth2 seems the best/safest method, you said that using a password manager would also work, I wouldn't agree much, many password managers require a master password, if the master is compromised, well, you are screwed, unless the password manager you are using has a method of "application whitelist" (the pwd manager I use, doesn't). In this case, I would need to use my master password, making my privacy vulnerable.

When I have time, I will check Vmail's source code and think about Google's Oauth2 authentication implementation.

Other than that, Vmail = powerful tool.

Cheers.

[notalex]

[notalex]

@towc, if password is allowed through ENV, one could use vmail with an external password manager like lastpass:

$ VMAIL_PASSWORD=$(lpass show -p email) vmail

This is quite safe and keeps the responsibilities separate.