Hide email password

iKarampa · 12-15-2010, 12:16 PM

Currently when you set up a mail account, your password is displayed on plain text, once you hit the "Test email" button. Is it possible to hide it?

kovidgoyal · 12-15-2010, 12:20 PM

test email is explicitly for debugging, that is why the password is shown. Note that hiding the password in that dialog doesn't make your password secure in any fashion. The user can just click show password in the config dialog

iKarampa · 12-15-2010, 12:28 PM

Actually once you put the password, anyone can go on the email preferences press the "show" checkbox and see it. This is very useful in the debugging version of the application but potentially disastrous for a user whose laptop is shared or stolen...

chaley · 12-15-2010, 12:35 PM

The problem, of course, is that the password must be sent in plain text to the mail service. That means that it must be convertible to plain text by calibre. That means that if the password is stored encrypted, the decryption algorithm will be plainly visible in the code. That means that no matter what is done, the password is not secure. So why bother?

The same argument is used against DRM. Why do it, because it can be cracked? The publishers are hoping that the buyers are ignorant.

iKarampa · 12-15-2010, 12:42 PM

With SSL or TLS capable servers I do not think the password is send over in plain text. I guess I am just asking to make it a little bit harder for anyone using my computer to see my most important password.

kovidgoyal · 12-15-2010, 12:57 PM

with SSL or TLS calibre still needs to know the original password, that is then encrytped by the transport layer. The same will be true of whatever email program you use.

If you are paranoid about your password, do not store it in any programs.

Dopedangel · 12-15-2010, 08:46 PM

Quote:

Originally Posted by iKarampa

With SSL or TLS capable servers I do not think the password is send over in plain text. I guess I am just asking to make it a little bit harder for anyone using my computer to see my most important password.

Why don't you register a new account on gmail or hotmail just for using with calibre. Or do you need the emails to come from a specific account.

iKarampa · 12-16-2010, 04:32 AM

You bet I am paranoid about that specific password!

Quote:

Originally Posted by Dopedangel

Why don't you register a new account on gmail or hotmail just for using with calibre. Or do you need the emails to come from a specific account.

I think this is the most sensible solution. Otherwise the developer would have to hash the password for local storage, which can be tricky on an open source application.

kovidgoyal · 12-16-2010, 10:31 AM

@iKarampa: FYI, hashing, whether in closed source or open source applications is *not* secure.

12-15-2010, 12:16 PM	#1
iKarampa Nameless Being	Hide email password Currently when you set up a mail account, your password is displayed on plain text, once you hit the "Test email" button. Is it possible to hide it?

Similar Threads
Thread	Thread Starter	Forum	Replies	Last Post
Email password showing during Test email under Sharing?	Esquire1	Calibre	1	09-15-2010 02:50 AM
Hide for Under a Dollar	koland	Deals and Resources (No Self-Promotion or Affiliate Links)	2	06-11-2010 06:14 AM
iLiad ipdf hide Toolbar	Fermthe	iRex Developer's Corner	2	09-30-2008 04:05 PM
Yahoo begins test of email service that looks more like desktop email programs	Bob Russell	Lounge	2	09-18-2005 07:20 PM
Verizon.net email...no email from countries outside the US?	Zire	Lounge	4	02-19-2005 09:29 PM

12-15-2010, 12:20 PM	#2
kovidgoyal creator of calibre Posts: 43,860 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	test email is explicitly for debugging, that is why the password is shown. Note that hiding the password in that dialog doesn't make your password secure in any fashion. The user can just click show password in the config dialog

12-15-2010, 12:28 PM	#3
iKarampa Nameless Being	Actually once you put the password, anyone can go on the email preferences press the "show" checkbox and see it. This is very useful in the debugging version of the application but potentially disastrous for a user whose laptop is shared or stolen...

12-15-2010, 12:35 PM	#4
chaley Grand Sorcerer Posts: 11,742 Karma: 6997045 Join Date: Jan 2010 Location: Notts, England Device: Kobo Libra 2	The problem, of course, is that the password must be sent in plain text to the mail service. That means that it must be convertible to plain text by calibre. That means that if the password is stored encrypted, the decryption algorithm will be plainly visible in the code. That means that no matter what is done, the password is not secure. So why bother? The same argument is used against DRM. Why do it, because it can be cracked? The publishers are hoping that the buyers are ignorant.

12-15-2010, 12:42 PM	#5
iKarampa Nameless Being	With SSL or TLS capable servers I do not think the password is send over in plain text. I guess I am just asking to make it a little bit harder for anyone using my computer to see my most important password.

12-15-2010, 12:57 PM	#6
kovidgoyal creator of calibre Posts: 43,860 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	with SSL or TLS calibre still needs to know the original password, that is then encrytped by the transport layer. The same will be true of whatever email program you use. If you are paranoid about your password, do not store it in any programs.

12-16-2010, 10:31 AM	#9
kovidgoyal creator of calibre Posts: 43,860 Karma: 22666666 Join Date: Oct 2006 Location: Mumbai, India Device: Various	@iKarampa: FYI, hashing, whether in closed source or open source applications is not secure.

Advert

Advert