Tecfan
commented
3 years ago I would also like a more in-depth explanation what happens to our "unencrypted" passwords.
Open GregoryTravis opened 3 years ago
Tecfan
commented
3 years ago I would also like a more in-depth explanation what happens to our "unencrypted" passwords.
ajhepple
commented
3 years ago As I understand it, the IMAP protocol is conducted in plain text, including the password, but the whole thing is encapsulated by a TLS session which is encrypted. The email client need not encrypt data because the connection is secure, thanks to TLS.
I've often been known to misunderstand things!
kurahaupo
commented
3 years ago @ajhepple is correct. It's not especially vulnerable to interception as long as the IMAP server you're talking to supports and requires encryption. (GMail IMAP does.)
In this context "plain text" means that that the password itself is sent, rather than being used as part of a key-exchange. The is a requirement to support the IMAP protocol, which is 30+ years old at this point.
Together with the requirement to make the unencrypted password visible to any app that uses it, these are reasons why you should have a unique password for IMAP (or POP) access.
The README says:
change Authentication to "Plain text" in "Advanced settings - Custom IMAP server"
Does "plain text" here mean that it is sending the app password unencrypted?