Version: 1.10.1 (using 4.1.2 (KDE 4.1.2), Kubuntu packages) Compiler: cc OS: Linux (x86_64) release 2.6.27-7-generic This is the counter-wish to bug 127762 :) I've got my wallet configured so that the wallet is closed after 5 minutes. The reason for this is a bit of paranoia: Anybody walking by my machine when I went to fetch a coffee could click on the Wallet Manager in the tray and read all my passwords in plain text. But: KMail needs the passwords from the Wallet, especially for sending mail which I don't do every five minutes. So almost each time I send a mail, I've got to enter the password for my wallet. But I don't want to enter the wallet password that often (and wouldn't have to if KMail cached the password as it does with the IMAP one anyway), increasing the chance that somebody is peeking above my shoulder and remembers the keys I type. I should only have to have the wallet open when I start up KMail or first time KMail tries to access the resource in question. Yes, of course somebody could send a mail in my name if KMail stays open and I'm gone without locking my machine. But in my eyes thats not as bad as somebody knowing all my passwords. So, to marry this wish with bug 127762: 1. Please make the usage/caching of passwords in KMail (and even all of the PIM suite) consistent: Either always cache passwords or not. 2. For the paranoid, introduce an option which disallows caching of passwords in the PIM apps. Though I don't see the advantage when there is already a persistent connection like IMAP, why not. But make the caching of the SMTP passwords the default. Maybe this is fixed already in Akonadi, I don't know :)
This is a whishlist, so is up to developers to implement it or not. But a general advice from the security point of view is to block the session when you go for a coffee, that way you can increase the inactivity time of kwallet and not be asked for the password every time you send a mail. Also, you could configure kwallet to allow free access to kmail, but to ask a password for every other application (see kwallet preferences). Sending a mail in your name could be as bad as knowing all your passwords, because: * you could send a p0rn mail to your boss. * you could send an email to the competitors. * ..... Best Regards.
Access to my mail account only is not as bad as access to all my passwords. And with the same argument you could say that access to my IMAP account (which includes a lot of personal information which can as well be used for a joe-job) is as bad as access to the SMTP as well so IMAP connections should be closed with the wallet. Apart from that does KMail currently make the complete option "Close when unused for N seconds" completely useless for me. I admit though that locking the screen is the way to go, but then the whole option is useless as well :) And nope, you can't configure KMail to have access to the wallet without a password while everybody else requires a password. That's technically impossible. All you can decide is whether an application has access at all.
KWallet gives you the possibility to give access to certain applications. I think that covers most of this wish. It is far better than applications caching passwords. If KWallet does not furfill your wish, please report a bug against it with a clear idea how to solve it. thanks Jaime for your reply.
Well, thanks for the reply. As I wrote before, I don't really see the difference between caching the IMAP password (or using a persistent connection) and caching the SMTP password. Hmmm... would you accept a patch for persistent SMTP connections? :) KWallet only allows you to completely disallow applications from accessing the wallet; once allowed eg. KWalletManager, it has access (or the user can simply change the config to make it allowed). Everything else is technically impossible and I doubt I can file a sane report against KWallet for this. But in the end its you decision, so I've got to work around KMails shortcomings. I can't just work around the problem by using sendmail because I've gotta save the password in plain on the harddisk then, making the treatment for the symptom worse than it was without it. I guess I'll just disable the "Close when unused for N seconds" feature in KWallet again. That's unfortunate because I lose some security. But typing in the wallet password all the time just gets on my nerves. And is actually less secure than caching the password because each time I type the password somebody could peek above my shoulder while getting his hands on the password stored in RAM is a lot harder.
Your wish is valid, but we differ about where to fix it. I think the password handling belongs to KWallet, so if there is an option that you miss in KWallet it should be fixed up there. It is not up to each and every application to reimplement password handling. So I really would like you to think about an option for KWallet that solves it for you. I know you can have different wallets in there, but I don't know if that could solve it. There is some bluetooth proximity software, which locks the screen when you move away from your computer, maybe that's a nice tip too.