[offlineimap] offlineimap is outputting your password in clear in logs (#266)
notifications at github.com
Tue Nov 3 05:29:07 GMT 2015
This is a pretty bad habit and is unnecessary, even in debug mode.
This would avoid people getting their credentials being posted on the net when wanting to help (cf: #198 ). Nor people catching on your screen the password as you span through your log, or prevent you from storing full imap logs on log period for whatever rare bug you are chasing... etc ... If there is a need to show this content for debugging, I guess it should be activated manually by decommenting a line in the code, to show that you know exactly what you want to see.
The whole security of a system is lowered to the weakest link. Please don't let ``offlineimap`` be this link here.
I generally assume that logs SHOULD NOT contain plain text passwords.
Reply to this email directly or view it on GitHub:
-------------- next part --------------
An HTML attachment was scrubbed...
More information about the OfflineIMAP-project