App Passwords per mailbox
-
When using an App Password for a Group mailbox, it effectively also could be used for access to the main user mailbox too.
I'm not too sure on the best solution, perhaps app passwords per-mailbox?
The point is that currently they could provide a false sense of security, especially if saved into a DB that doesn't store encrypted or the app passwords are shared for a group mailbox setup without realising they can provide access to any of that user's permitted mailboxes.
Personal mailboxes are a high-value attack vector for their ability to then reset any passwords connected to that email, hence I think this needs a bit more thought.
-
When using an App Password for a Group mailbox, it effectively also could be used for access to the main user mailbox too.
I'm not too sure on the best solution, perhaps app passwords per-mailbox?
The point is that currently they could provide a false sense of security, especially if saved into a DB that doesn't store encrypted or the app passwords are shared for a group mailbox setup without realising they can provide access to any of that user's permitted mailboxes.
Personal mailboxes are a high-value attack vector for their ability to then reset any passwords connected to that email, hence I think this needs a bit more thought.
@marcusquinn I think a good way to go about this is to keep the top level app passwords but add the ability to restrict them to specific apps/api endpoints/mailboxes one has access to.
