Page 1 of 2 12 LastLast
Results 1 to 10 of 13

Thread: Disable saved password?

  1. #1
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    718
    Rep Power
    9

    Default Disable saved password?

    The Outlook Connector defaults to saving the user's password, and I can't find a way to stop this.

    Yes, I know that all synchronized email is stored on disk in the clear, but passwords work for things other than email, so there's still an added risk.

    Am I missing something?

  2. #2
    sam
    sam is offline Zimbra Employee
    Join Date
    Aug 2005
    Posts
    821
    Rep Power
    10

    Default

    Why do you need to stop this? What is the security concern?

    ZCO takes the password and encrypts it using the key for the currently logged on windows user. The encrypted password is stored in the profile. When it needs to access the password, it reads the encrypted data from the profile and attempts to decrypt it using the key for the currently logged on windows user. If the decryption is successfull, the password is transmitted to the zimbra server.
    Sam Khavari

    :: :: [ Zimbra ] :: :: [ Bugzilla ] :: :: [ Product Portal ] :: :: [ Wiki ] :: :: [ Downloads ] :: :: [ . ] ::

  3. #3
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    718
    Rep Power
    9

    Default

    That sounds good. I've had bad experience with programs that save passwords without meaningful encryption (ws-ftp, mozilla thunderbird where a "master password" is not used), but if you're encrypting with the logged-in user's password and using the standard crypto APIs appropriately then that should be fine.

    Small concern about students with non-domain computers whose local login password is weaker than their email password... but they're not likely to be using the outlook connector, and their password is probably just as easy to obtain elsewhere.

  4. #4
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    718
    Rep Power
    9

    Default

    Just so I can check this off for good... what crypto algorithm? I'm assuming reasonable use of 3DES/RC5/AES sincee Windows makes it so easy, but since we don't have the source code (we don't, right?), we just have to trust you.

  5. #5
    sam
    sam is offline Zimbra Employee
    Join Date
    Aug 2005
    Posts
    821
    Rep Power
    10

    Default

    It uses Triple DES and appends a SHA-1 HMAC so we can identify data tampering. ZCO uses the CryptProtectData & CryptUnprotectData calls. The complete details are available here:

    http://msdn2.microsoft.com/en-us/library/ms995355.aspx
    Sam Khavari

    :: :: [ Zimbra ] :: :: [ Bugzilla ] :: :: [ Product Portal ] :: :: [ Wiki ] :: :: [ Downloads ] :: :: [ . ] ::

  6. #6
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    718
    Rep Power
    9

    Default

    The threat I'm worried about is trojans that enumerate and compromise the password list. The .edu community is seeing a fair number of targeted attacks on financial officers. Word zero-day exploits purporting to be complaints from parents, etc.

    Do you use pOptionalEntropy? To the limited extent I understand it, that seems to provide nominal protection. The attacker would need to target ZCO specifically, not just Windows.

  7. #7
    pfefferc is offline Senior Member
    Join Date
    Jan 2007
    Posts
    58
    Rep Power
    8

    Default

    I would like to see an option to disable saved passwords. The reason I would like it is for example, a user gets up and goes away from their desk or forgets to logoff/lock their computer, anyone can just sit down (assuming Outlook isn't open yet) and open up Outlook and get to all of their mail, whereas if they had to enter a password, it wouldn't be so easy.

  8. #8
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    718
    Rep Power
    9

    Default

    That's a use case I don't find compelling. If you're concerned about people leaving themselves logged on without screen locking, and humans walking up to their computers and messing around, then the appropriate responses include the following: Windows group policy (or local security policy) requiring a locking screensaver; self-closing, self-locking office doors; smart cards and/or prox cards and/or biometrics (but if you're that paranoid, you already have these things); security cameras; security guards; controlled building access.

    If you assume physical access, then the only things that are going to help you are a large number of security guards (to catch the attacker in the act) or full-disk encryption, which very recently became practical. The US federal government has an open RFP for full-disk encryption solutions that makes very interesting reading.

    My concern is trojan or remote access to stored passwords not by humans, but by moderately sophisticated programs (which, please note, no longer implies a moderately sophisticated attacker; script kiddies can do it). My concern about how the passwords are stored in the Zimbra Outlook Connector has been answered (mostly; I still have one outstanding question above).

    Assuming that the credentials cache is handled reasonably, and I am aware of many examples where it has not been handled reasonably, I would strongly argue that single-login systems improve security by raising the bar in the user's mind for who and what is allowed to prompt for a password. When different UIs are popping up password prompts right and left, the user is highly susceptible to password-stealing trojans.
    Last edited by Rich Graves; 05-03-2007 at 06:39 AM.

  9. #9
    pfefferc is offline Senior Member
    Join Date
    Jan 2007
    Posts
    58
    Rep Power
    8

    Default

    Well, I was just using that as an example. I don't think just because you are logged onto your computer, that you shouldn't have to type in your email password. Heck, I believe Exchange let's you disable this option, why not Zimbra? Every email program I have used, Thunderbird, Eudora, etc.., has the option to whether you want to save your password or not. I think Administrators/Users should have the option to choose which one they prefer.

  10. #10
    Rich Graves is offline Outstanding Member
    Join Date
    Jan 2007
    Location
    Minnesota
    Posts
    718
    Rep Power
    9

    Default

    I understand that's just an example. If you want to prioritize this in any way, come up with a better example.

    Sorry if this rant sounds like it's directed at you. It's directed at the software industry more generally.

    Password prompts for desktop email programs may be considered what Schneier calls "security theatre." Think of actual attacks and actual ways to deter, detect, and defeat them. Of course Microsoft lets you require passwords to open Outlook against Exchange, even when you are logged on to the same Windows domain as the Exchange server and have cached Kerberos credentials (which you can't turn off) allowing secure single-logon. That's Microsoft's modus operandi. If the user requests a feature, they will usually find a way to bloat the code to add the feature, whether it's actually a good idea or not. Eudora and T-Bird have other reasons -- Eudora was written for a far more trusting world, and (afaik) still stores passwords totally insecurely (unlike ZCO), so they're going to let you uncheck that box. T-Bird, same reasons, plus it's a cross-platform product that cannot assume availability of things like the Windows CryptoAPI (or whatever they are marketing it as this month... probably CRYPTO.NET or LiveSecurity or something like that). Zimbra (fortunately!) has far fewer programmers than Microsoft, and Zimbra's programmers have a much higher average ability, so they need to prioritize features that actually make sense and lead to clean/correct/light/fast/bloat-free product.

    The reason for "just because you are logged onto your computer, that you shouldn't have to type in your email password" is that the more times you are prompted for your password, the more likely you are to give your password to a malicious program or person to whom it should never be given. Single-login is not just a user convenience issue, it's a very real security issue. It must be done right, of course -- Windows 95 .PWL files got it very very wrong, but modern versions of Windows get it about as right as it's possible to get it.
    Last edited by Rich Graves; 05-03-2007 at 07:17 AM.

Page 1 of 2 12 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. FC4 Test install getting SU: Incorrect Password
    By bbepristis in forum Installation
    Replies: 16
    Last Post: 08-11-2006, 10:07 AM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •