Disable saved password?

[Rich Graves]

The Outlook Connector defaults to saving the user's password, and I can't find a way to stop this.

Yes, I know that all synchronized email is stored on disk in the clear, but passwords work for things other than email, so there's still an added risk.

Am I missing something?

[sam]

Why do you need to stop this? What is the security concern?

ZCO takes the password and encrypts it using the key for the currently logged on windows user. The encrypted password is stored in the profile. When it needs to access the password, it reads the encrypted data from the profile and attempts to decrypt it using the key for the currently logged on windows user. If the decryption is successfull, the password is transmitted to the zimbra server.

[Rich Graves]

That sounds good. I've had bad experience with programs that save passwords without meaningful encryption (ws-ftp, mozilla thunderbird where a "master password" is not used), but if you're encrypting with the logged-in user's password and using the standard crypto APIs appropriately then that should be fine.

Small concern about students with non-domain computers whose local login password is weaker than their email password... but they're not likely to be using the outlook connector, and their password is probably just as easy to obtain elsewhere.

[Rich Graves]

Just so I can check this off for good... what crypto algorithm? I'm assuming reasonable use of 3DES/RC5/AES sincee Windows makes it so easy, but since we don't have the source code (we don't, right?), we just have to trust you.

[sam]

It uses Triple DES and appends a SHA-1 HMAC so we can identify data tampering. ZCO uses the CryptProtectData & CryptUnprotectData calls. The complete details are available here:

http://msdn2.microsoft.com/en-us/library/ms995355.aspx

[Rich Graves]

The threat I'm worried about is trojans that enumerate and compromise the password list. The .edu community is seeing a fair number of targeted attacks on financial officers. Word zero-day exploits purporting to be complaints from parents, etc.

Do you use pOptionalEntropy? To the limited extent I understand it, that seems to provide nominal protection. The attacker would need to target ZCO specifically, not just Windows.

[pfefferc]

I would like to see an option to disable saved passwords. The reason I would like it is for example, a user gets up and goes away from their desk or forgets to logoff/lock their computer, anyone can just sit down (assuming Outlook isn't open yet) and open up Outlook and get to all of their mail, whereas if they had to enter a password, it wouldn't be so easy.

[Rich Graves]

That's a use case I don't find compelling. If you're concerned about people leaving themselves logged on without screen locking, and humans walking up to their computers and messing around, then the appropriate responses include the following: Windows group policy (or local security policy) requiring a locking screensaver; self-closing, self-locking office doors; smart cards and/or prox cards and/or biometrics (but if you're that paranoid, you already have these things); security cameras; security guards; controlled building access.

If you assume physical access, then the only things that are going to help you are a large number of security guards (to catch the attacker in the act) or full-disk encryption, which very recently became practical. The US federal government has an open RFP for full-disk encryption solutions that makes very interesting reading.

My concern is trojan or remote access to stored passwords not by humans, but by moderately sophisticated programs (which, please note, no longer implies a moderately sophisticated attacker; script kiddies can do it). My concern about how the passwords are stored in the Zimbra Outlook Connector has been answered (mostly; I still have one outstanding question above).

Assuming that the credentials cache is handled reasonably, and I am aware of many examples where it has not been handled reasonably, I would strongly argue that single-login systems improve security by raising the bar in the user's mind for who and what is allowed to prompt for a password. When different UIs are popping up password prompts right and left, the user is highly susceptible to password-stealing trojans.

[pfefferc]

Well, I was just using that as an example. I don't think just because you are logged onto your computer, that you shouldn't have to type in your email password. Heck, I believe Exchange let's you disable this option, why not Zimbra? Every email program I have used, Thunderbird, Eudora, etc.., has the option to whether you want to save your password or not. I think Administrators/Users should have the option to choose which one they prefer.

[Rich Graves]

I understand that's just an example. If you want to prioritize this in any way, come up with a better example.

Sorry if this rant sounds like it's directed at you. It's directed at the software industry more generally.

Password prompts for desktop email programs may be considered what Schneier calls "security theatre." Think of actual attacks and actual ways to deter, detect, and defeat them. Of course Microsoft lets you require passwords to open Outlook against Exchange, even when you are logged on to the same Windows domain as the Exchange server and have cached Kerberos credentials (which you can't turn off) allowing secure single-logon. That's Microsoft's modus operandi. If the user requests a feature, they will usually find a way to bloat the code to add the feature, whether it's actually a good idea or not. Eudora and T-Bird have other reasons -- Eudora was written for a far more trusting world, and (afaik) still stores passwords totally insecurely (unlike ZCO), so they're going to let you uncheck that box. T-Bird, same reasons, plus it's a cross-platform product that cannot assume availability of things like the Windows CryptoAPI (or whatever they are marketing it as this month... probably CRYPTO.NET or LiveSecurity or something like that). Zimbra (fortunately!) has far fewer programmers than Microsoft, and Zimbra's programmers have a much higher average ability, so they need to prioritize features that actually make sense and lead to clean/correct/light/fast/bloat-free product.

The reason for "just because you are logged onto your computer, that you shouldn't have to type in your email password" is that the more times you are prompted for your password, the more likely you are to give your password to a malicious program or person to whom it should never be given. Single-login is not just a user convenience issue, it's a very real security issue. It must be done right, of course -- Windows 95 .PWL files got it very very wrong, but modern versions of Windows get it about as right as it's possible to get it.