Welcome to the mailbox user forum
 
New Topic
mailbox user forumTopicProblemPassword and Security
Properties
Category Password and Security

App Passwords and Email Passwords Are Weak

Maximus shared this problem 2 months ago
Published

Let me build a logical case here.

1. First, I appreciate that Mailbox has implemented App and Email Passwords for greater log in tracking, compartmentalization, and protection of a customers main account password.

2. However, customers have no control over choosing strong, unique, and not easily crackable passwords for either Apps or Email clients.

3. Instead, customers are assigned short, uncomplicated, and formulaic passwords that anyone with a free account can see the basic layout for (user name is ___@___, passwords are small without complex characters and I'll leave it there for obvious reasons).

4. To make matters worse, there is no 2FA protection for these perplexingly short and basic App and Email passwords.

5. Anyone from beginner hackers to state actors now have powerful software and artificial intelligence at their disposal, which lets the computer easily do all the guess work and quickly break weak passwords or guess predictable usernames.

6. The obvious solution is to either 1) massively expand the default assigned length and complexity of the passwords generated by Mailbox for users, or 2) allow users to do that themselves.

7. Right now, weirdly, using your main uber strong account password is more secure than using a bunch of weak app passwords. I don't think we should need to settle for a compromise between security and convenience when a solution for both could be so easily attained with some basic upgrades.

8. Finally, while most people don't consider things like this, and it admittedly falls in the higher threat models, in Settings > Privacy > Personal Data Access, everyone's App Password username is right there for Big Brother or his friends to demand or steal at will. What's the big deal? Your email address is there too, right? Well, once someone has your UID (App Password username), one way or another, guessing every password associated with it and gaining access to all your data is easy because these passwords are so inherently weak.

My post script is as follows: If I'm correct about any or all of this, it may be 100% on Open-Xchange, as they are the software developer and Mailbox collaborates with them as a provider. I really appreciate the service Mailbox offers (see my previous post for why) and hope this can be taken as a constructive critique. And...if I'm wrong about any or all of this, I'm happy to learn why. 🙂

3 The same problem 0  

Replies (3)

photo
1
Moo 2 months ago

Additionally, I would like to be able to set up a separate password for an email app. Since an app may be compromised at any time, a separate (from the administrative account) password is the right approach to increase privacy and security.

I do not feel comfortable using my main password which covers my personal and payment data along with all mail and the file storage outside my specially designed private and secure environment.

Reply
photo
1
zapata 2 months ago

Was Login 2.0 already enabled for your account? Have you enabled two-factor authentication? Then you must create e-mail app passwords for IMAP/SMTP.
I am not entirely happy with the new Login 2.0 but I don't consider e-mail app passwords weak. Application passwords for CalDAV, CardDAV, WebDAV, etc. should be improved and I don't like the username (number@number). But being able to set your own passwords would be great!

I guess two factor authentication for mail clients (IMAP4/SMTP) is a bit impractical.
No idea, if they plan to add OAUTH2, passkeys, etc.

photo
1
Moo 2 months ago

I do not have Beta enabled. I probably should switch to beta (as soon as it is available) if this allows creating email passwords. Thank you for the hint.

photo
1
zapata 2 months ago

Login 2.0 is no longer a Beta feature and it's being rolled out to customers. Maybe mailbox.org Support can enable it for you.

Settings -> mailbox.org -> E-Mail app passwords.

73a000e86a0f5b51c89dc88fa74410b5

photo
1
5422682 2 months ago

Do they have a progress report on Login 2.0 rollout? I remember the blog post, but I've heard nothing since.

photo
1
5422682 2 months ago

Hilarious. Two days after posting above, I get an "upgrade in the next few days" message. Maybe coincidence; maybe not.

photo
2
Maximus 25 days ago

Now this: "the support of mailbox just confirmed that anybody who has access to the IMAP Application Password or an existing IMAP Access can reset the password with an reset-link to the inbox that automatically deactivates 2FA. This means that a strong password and 2FA can be easily bypassed. The attacker would only need the IMAP Password that cannot even be created by the user. This is shocking for a mail provider that claims to be secure. Even GMX a not-private mailprovider with a mixed reputation handles this better: when access to IMAP exists the user would still need the 2FA code to reset the password." https://discuss.privacyguides.net/t/mailbox-org-with-severe-authentication-vulnerability-through-password-reset/31846

photo
1
Ginger Soap 24 days ago

Yes sadly. Now the whole authentication is stripped down to a single IMAP password. Strong password? Doesn‘t matter. Enabled 2FA? Doesn‘t matter. I raised this point in the german speaking userforum, I really hope they take this seriously since this is an absolute no-go for a provider that claims to be secure.

photo
1
mailbox.org Support 24 days ago

Hello,

Thank you for your feedback! We understand your concerns about our current password reset logic and would like to explain the background. Our goal is to provide a practical and user-friendly way to regain access to your account even if you lose the second factor (e.g., lost smartphone, deleted authenticator app, defective hardware token). Without a way to authenticate using an existing IMAP/POP app password, there is a risk that users will lock themselves out permanently. Lost 2FA should not result in permanent account loss.

However, we are aware that this is not the perfect solution. Therefore, we will implement an option as soon as possible that allows you to choose whether or not you can disable 2FA by resetting your password. In this case, it will no longer be possible to disable two-factor authentication by resetting your password. We will start planning immediately, but we cannot yet predict exactly how long the implementation will take. We therefore ask for your patience.

Thank you very much for your comments and critical discussion of this issue.

Best regards,

Your mailbox team


---

Useful Links:

d9e15a7fee470fb66af17115c3a43886

photo
3
mailbox.org Support 2 days ago

Hello everyone,

First of all, thank you for your patience. We would like to inform you that we have implemented the requested change to the password reset process.

We originally introduced the option “Password reset to your own address” to enable our customers to continue accessing their data even if they lost a second factor. The complete loss of all access options—and thus possibly also all data and the ability to reset passwords for other services—poses a considerable risk for many. For this reason, we deliberately chose to include this feature.

However, we understand your concerns very well and have now made a change:

You can now deactivate the 'Password reset to your own email address' option under

'All settings' > ‘Security’ > 'Password reset'.

In this case, it will no longer be possible to reset your password via your own address.

Here is a screenshot of the new feature:

71e5aced55cd3e9768fafa885b705111

Thank you for the lively discussion and your valuable feedback—both help us greatly in continuously improving mailbox. We would appreciate your feedback on this new feature as well.

Best regards,

Your mailbox team


---

Useful Links:

d9e15a7fee470fb66af17115c3a43886

photo
1
TeCer 2 days ago

Great, it would be nice if these updates had a dedicated place where they could be read.

In my opinion, a “changelog” section under help (see screenshot) would be perfect for communicating fixes or minor adjustments that are not significant enough to be included in the “updates” but are still worth reading.

Files: {2F801679-111C-4745-9E58-BA780F0B16F2}.png
photo
photo
1
Smedley Butler 22 days ago

It's good that mailbox always throws out the line, "We therefore ask for your patience", seeing that it takes them weeks, months, years to make any corrections.

Reply
photo
1
Stephan 22 days ago

Instead, customers are assigned short, uncomplicated, and formulaic passwords

The current password schema generates 16 lowercase Latin letters, resulting in an entropy of more than 75 bits. This kind of password, especially if the letters are totally random, is considered strong.

Reply
Leave a Comment
 
Attach a file
You can't vote. Please authorize!