openerp-india team mailing list archive

Thread
Date

[Bug 1082205] Re: 7.0 fetchmail server must encrypt password

To: openerp-india@xxxxxxxxxxxxxxxxxxx
From: "Olivier Dony \(OpenERP\)" <1082205@xxxxxxxxxxxxxxxxxx>
Date: Fri, 23 Nov 2012 08:26:20 -0000
Reply-to: Bug 1082205 <1082205@xxxxxxxxxxxxxxxxxx>
Sender: bounces@xxxxxxxxxxxxx

As already discussed on other bugs, remote service passwords cannot be one-way encrypted in the database because many of those remote services only support authentication methods based on the password (which OpenERP must therefore be able to read).
The only options are forcing password-less authentication methods only (which will prevent most users from using fetchmail, and make the config more complicated), or performing a dummy reversible encryption on the stored passwords, which adds little security.

It's the same reason why Firefox and Thunderbird (those are just 2 examples, every piece of software has the same problem) store the password in plaintext, and offer little added security when you add an optional "master password" to ecnrypt them: http://security.stackexchange.com/questions/8780/is-it-possible-to-easily-retrieve-thunderbirds-passwords-with-access-to-hdd
And of course even that "master password" is stored somewhere in plaintext, either in the code or somewhere on the disk.. I suppose you start getting the point.

So yes, it could be improved a bit, but it will not actually increase
the safety of your passwords, unless we force password-less
authentication methods, which almost nobody can use for IMAP/POP.

You could also take extra steps to prevent unauthorized access to your
database, as there is obviously a lot of very sensitive data in it aside
from passwords, like your accounting data that could be tempered with
without leaving tracks, etc.

** Changed in: openobject-addons
   Importance: Undecided => Wishlist

** Changed in: openobject-addons
       Status: New => Confirmed

** Changed in: openobject-addons
     Assignee: (unassigned) => OpenERP's Framework R&D (openerp-dev-framework)

-- 
You received this bug notification because you are a member of OpenERP
Indian Team, which is subscribed to OpenERP Addons.
https://bugs.launchpad.net/bugs/1082205

Title:
  7.0 fetchmail server must encrypt password

Status in OpenERP Addons (modules):
  Confirmed

Bug description:
  select user,password from fetchmail_server;
  returns unencrypted passwords - high risk

To manage notifications about this bug go to:
https://bugs.launchpad.net/openobject-addons/+bug/1082205/+subscriptions

References

[Bug 1082205] [NEW] 7.0 fetchmail server must encrypt password
From: Ferdinand @ Camptocamp, 2012-11-23