Hello,
When I configured my iCloud account in eM Client, it appears iCloud password is saved in eM Client files as plain text.
It seems not secure enough for me.
Is it possible to avoid saving plain password?
Which are alternatives possible?
Thanks,
Sergiy
Hello,
if you mean that situation with logs then it will not be changed as it is purpose with logs to provide raw data.
otherwise all passwords are encrypted in eM Client while normal use.
regards
Jan
I found my iCloud password by simple text search in eM Client folder (eM Client was closed).
I use this password to synchronize calendar with iCloud.
Plain password was found in following files (with defaul location of eM Client files on Windows Vista):
“C:\Users[user_name]\AppData\Roaming\eM Client\main.dat”
“C:\Users[user_name]\AppData\Roaming\eM Client\main.dat-wal”
I don’t think that this is some kind of log files.
No?
I would be also grateful if you add more details on log as well.
What operations can result in saving my password and where?
Is it folder “C:\Users[user_name]\AppData\Roaming\eM Client\Logs” or something else?
Thanks in advance,
Sergiy
No, eM Client does not save anything anywhere outside eM Client folder and folders that you can set-up in Settings.
both main.dat are not logs files but plain text in this matter is used in all clients. for example outlook does this also - you can try same search (if you have outlook) and it will find your password also - easiest proof is that we can import whole account from it.
Yes it could be solved by using hash but decription key still would be available locally.
Software that has these data encrypted still need to use master password that can be easily decripted.
also attacker does not know your password so for him it would take much longer time at your computer to decrypted it as he cant open main.dat to read from it.
What kind of security breach case do you fear anyway? If attacker will get access to your computer he will be able to steal all your data no matter if he would be able to read your passwords or it will take him few minutes to find decription key to use it on files under hash.
I hope that this answer all your questions.
regards
Jan
Hello Jan,
Thanks for reply.
> you can try same search (if you have outlook) and it will find your password also
Possibly yes, I didn’t tried it. But now I think more about my data secruity.
> Software that has these data encrypted still need to use master password…
Master password is prefered way for me.
> … that can be easily decripted.
This is not clear for me. There are applications which have quite strong protection, e.g. TrueCrypt.
Yes, third people can brute force password if it is not strong enough.
Anyway, you will have time to change your password at least.
> If attacker will get access to your computer he will be able to steal all your data no matter if he would be able to read your passwords or it will take him few minutes to find decription key to use it on files under hash.
This is not true. e.g. TrueCrypt disk is very difficult to crack, even if your device is stolen. Similar approaches are used in many other applications.
Another alternative to avoid saving passwords is to use some kind of authentication tokens, e.g. at page http://support.apple.com/kb/HT4865 , section “Use of Secure Tokens for Authentication” . I was not aware if such or similar approach is used in eM Client, and this is one more reason why I asked the question.
Anyway, thanks for the reply.
I have an answer for question.
And security discussions are of course out of scope of the question.
Thanks,
Sergiy
Hello,
I understand your point with TrueCrypt but it still need password inserted, anyway to the original point it really will not cause problems for hackers if we would encrypt database.
If there would be any point it would be done, but in these days it would cause more problems than benefits.
anyway I am happy that my answer was good for you.
regards
Jan