[kdepim-users] KMail POP account: Cannot change password

Martin Steigerwald Martin at lichtvoll.de
Sat Jan 12 12:05:04 GMT 2013 

Am Samstag, 12. Januar 2013 schrieb O. Sinclair:
> On 12/01/2013 13:13, Martin Steigerwald wrote:
> > Am Dienstag, 8. Januar 2013 schrieb Jim MacLeod:
> >> On Tuesday 08 Jan 2013 16:58:29 Maurice Batey wrote:
> > […]
> > 
> >>> And iof I then enable  KWallet in System Settings, then KWallet keeps
> >>> butting into KMail sessions.
> >>> 
> >>> 
> >>> 
> >>> Anyone know of a solution to this, please ?
> >> 
> >> KWallet keeps all settings for POP3 but you can change its password to
> >> 'blank'  so you don't need to enter anything. Make sure it's not set
> >> to 'exit when last app closes' and hopefully it should leave you in
> >> peace.
> > 
> > And has security implications.
> > 
> > Anyone getting a hold of your wallet has immediate access to all
> > passwords in it if you do not protect it with a password.
> > 
> > Your decision of cause, but bank cards has a PIN for a reason :)
> > 
> > I have read about some fixes of KWallet handling in KMail for recent
> > KDE versions. But I bet KDE  SC 4.8.5 may not contain these fixes yet.
[…]
> Am not so sure of that. Should it not be: if anyone gets hold of your
> computer while switched on and you logged in they have your wallet? Try
> reading your wallet "straight from the disk" regardless of access
> password and I am certain it is crypted?
> 
> So rather look at "how paranoid am I". I never give my logon password,
> not even to my family, and lock the screen when I go away from the
> computer. To get thru that someone would really have to WANT to hack my
> data and I can not think of 1 reason why. Even including tax
> authorities..

Thing is as far as I understand:

1) Without password KWallet stores passwords unencrypted. Or just with some 
easily reversible transformation. I.e. by encrypting with blank password :).
It cannot use one way hash like in /etc/shadow, cause it can display back 
passwords in clear text to the user. You can´t have this with /etc/shadow 
unless you crack the hash by brute force which isn´t that easy now that most 
distributions use either blowfish or sha1 hashes for it. So you either have 
it unencrypted, I am not certain of the exact implementation, or you can 
just through the kwl file at any KWalletManager and see the clear text 
passwords. One just needs to have the harddisk with the kwl file on it for 
this. Or access to the file somehow. In case you use a master password, you 
need to brute force crack the kwl file *or* try to access unencrypted 
information while in memory. For me, thats sounds to be more difficult.

2) There is a timeout in KWallet access. It closes down after a time. So 
even when you leave your computer and possibly forgot to lock the screen the 
wallet access will be closed. I also see KWallet been locked down on locking 
the screen, so its also possibly to have that with a lock screen timeout.

As to what someone can do to hack into KWallet, I don´t know. And while 
applications are still accessing it, KWallet needs to keep the kwallet data 
around unencryptedly. But I expect it to use quite some tricks to avoid 
direct unauthenticated access by other processes, even of the same user. But 
for the locking screen case I have to give master password again when trying 
to send a mail or receive mails, so it seems application access is locked 
down to in that case. And if a wallet is closed then I am quite sure that 
KWallet does not have a unencrypted view of it in memory anymore and that it 
makes sure of that by overwriting that memory. Anyway its configurable for 
which applications to always ask on access attempt. Yeah, and its 
configurable to close it when screen blanker is active. Or when no 
applications accesses it, or on when being unused after given amount of 
time.

So only case where I might consider going without a password is with an 
encrypted filesystem, cause then KWallet it always encrypted when I turn of 
the computer. When I hibernate it, swap needs to be encrypted as well.

But even then due to point 2 I have some added security with using a KWallet 
password.

Heck, if all goes well it just asks it once for a long time, so I do not see 
why not to take in that additional security.

You wouldn´t use your SSH or GPG key without a password / passphrase either, 
or will you?

Well, but then people use POP3 and IMAP without SSL/TLS and and and…

Granted in case for an annoying bug like always asking for master password, 
I might disable it as well, but only temporily and its important that this 
bug gets reported and fixed then.

Just don´t complain in case your KWallet is leaked then. Or well if you 
complain, I´d answer: I told you to use a master password, now its your 
responsibility.

See: Its your decision, but I would never recommend anyone to use an empty 
master password *without* informing of the risks involved. Thats why I 
answered here doing just that.

Believe it or not, accept it or not: Using a master password is *best 
practice* with KWallet. That is what it is there for. And I bet is you ask 
any random KDE developer or KWallet maintainer you will get exactly that 
answer.

Thanks,
-- 
Martin 'Helios' Steigerwald - http://www.Lichtvoll.de
GPG: 03B0 0D6C 0040 0710 4AFA  B82F 991B EAAC A599 84C7
_______________________________________________
KDE PIM users mailing list
Subscription management: https://mail.kde.org/mailman/listinfo/kdepim-users

More information about the kdepim-users mailing list