undefined | Better HN

0 pointsjamesgeck09y ago0 comments

I don't think the free version of Nylas Mail is storing IMAP passwords, plaintext or otherwise. For Gmail, at least.

1. You never enter them into the client. It uses Oauth to authenticate.

2. By the comment here, it seems that they're using Google's Gmail API. https://news.ycombinator.com/item?id=13417904

0 comments

Oh, it does save the password.

Oauth makes sense that there's no password saved. A unique key is saved which is authenticated with Google. If this key leaks, you are hosed, too, but at least you can revoke that key.

I tried grep mypasswd ~/.nylas-mail/* and grep said Binary file shared.sqlite matches. This did not occur in ~/.nylas it makes sense and it is inevitable, a client like Thunderbird suffers from the same.

It can be circumvented by saving the password encrypted and decrypting it using a master password. That is akin to how LastPass and Mozilla save their cloud data.

Using containers etc would also lower the threat.

In a way its good the password is saved locally. The engine also runs locally. It moves the threat model to the client, away from Nylas servers. Kudos.

j / k navigate · click thread line to collapse