[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg

From: Lars Ingebrigtsen
Subject: bug#9113: 24.0.50; auth-sources: .authinfo versus .authinfo.gpg
Date: Mon, 30 Jan 2012 17:18:03 +0100
User-agent: Gnus/5.110018 (No Gnus v0.18) Emacs/24.0.92 (gnu/linux)

"Roland Winkler" <address@hidden> writes:

> But then it appears to me that elsewhere there is a problem:
> Why is it necessary that Emacs reads this file three gazillion
> times? I would assume: reading the encrypted file once and holding
> the content in memory cannot be more unsecure than storing the
> sensitive information in an unencrypted file.

Yes, that's more secure.  Now that you mention it, perhaps we did fix
the aggressive password prompting?  I seem to remember adding a cache at
some point...

Anyway, having to enter a password for (say) sending email, even if your
SMTP server isn't password-protected (as you have to do with
.authinfo.gpg) isn't particularly ideal.

So I think the .authinfo.gpg concept isn't a good thing.  (But
encrypting tokens in the .authinfo file might be.)

And perhaps the password token in .authinfo should always be obscured,
at least, to avoid accidentally spilling the passwords (visually) if you
do a grep .* or something.  (This is what all the other
password-hoarding applications like Firefox, Chrome, etc do by default.)

(domestic pets only, the antidote for overdose, milk.)
  http://lars.ingebrigtsen.no  *  Sent from my Rome

reply via email to

[Prev in Thread] Current Thread [Next in Thread]