MobileRead Forums - View Single Post

cryzed · 02-11-2015, 04:04 PM

I think reentering the password, even if I have to do it only once after starting Calibre, would qualify as a hassle for me. I'd prefer if I could specify my password somewhere permanently and FFDL would use it, similarly to how the login process for fanfiction sites is currently facilitated (which is even more insecure, and somehow no one is worried?).

Somehow I doubt that someone would tailor a plugin to specifically exploit FFDL's temporary, or even permanent, saving of a password. How is Calibre handling it in the "Sharing books by email" dialogue? Does it use some kind of system keychain or a simple (and obviously open-source) method of encryption for the password?

And although I haven't taken a closer look at the new code yet, executing EmailPassDialog in the parameters won't prevent passwords from being stolen if someone really wants to -- I could just replace the class entirely at runtime, or alternatively modify/decorate parts of it and grab the password from a different plugin (I did something similar a few months ago to forcefully overwrite the hardcoded sleep delay in FFDL for some sites).

02-11-2015, 04:04 PM	#3716
cryzed Evangelist Posts: 408 Karma: 1050547 Join Date: Mar 2011 Device: Kindle Oasis 2	I think reentering the password, even if I have to do it only once after starting Calibre, would qualify as a hassle for me. I'd prefer if I could specify my password somewhere permanently and FFDL would use it, similarly to how the login process for fanfiction sites is currently facilitated (which is even more insecure, and somehow no one is worried?). Somehow I doubt that someone would tailor a plugin to specifically exploit FFDL's temporary, or even permanent, saving of a password. How is Calibre handling it in the "Sharing books by email" dialogue? Does it use some kind of system keychain or a simple (and obviously open-source) method of encryption for the password? And although I haven't taken a closer look at the new code yet, executing EmailPassDialog in the parameters won't prevent passwords from being stolen if someone really wants to -- I could just replace the class entirely at runtime, or alternatively modify/decorate parts of it and grab the password from a different plugin (I did something similar a few months ago to forcefully overwrite the hardcoded sleep delay in FFDL for some sites). Last edited by cryzed; 02-11-2015 at 04:09 PM.