App Passwords per mailbox
-
When using an App Password for a Group mailbox, it effectively also could be used for access to the main user mailbox too.
I'm not too sure on the best solution, perhaps app passwords per-mailbox?
The point is that currently they could provide a false sense of security, especially if saved into a DB that doesn't store encrypted or the app passwords are shared for a group mailbox setup without realising they can provide access to any of that user's permitted mailboxes.
Personal mailboxes are a high-value attack vector for their ability to then reset any passwords connected to that email, hence I think this needs a bit more thought.
-
When using an App Password for a Group mailbox, it effectively also could be used for access to the main user mailbox too.
I'm not too sure on the best solution, perhaps app passwords per-mailbox?
The point is that currently they could provide a false sense of security, especially if saved into a DB that doesn't store encrypted or the app passwords are shared for a group mailbox setup without realising they can provide access to any of that user's permitted mailboxes.
Personal mailboxes are a high-value attack vector for their ability to then reset any passwords connected to that email, hence I think this needs a bit more thought.
@marcusquinn I think a good way to go about this is to keep the top level app passwords but add the ability to restrict them to specific apps/api endpoints/mailboxes one has access to.
Hello! It looks like you're interested in this conversation, but you don't have an account yet.
Getting fed up of having to scroll through the same posts each visit? When you register for an account, you'll always come back to exactly where you were before, and choose to be notified of new replies (either via email, or push notification). You'll also be able to save bookmarks and upvote posts to show your appreciation to other community members.
With your input, this post could be even better 💗
Register Login