GNOME Bugzilla – Bug 633702
Forget password when saving account without "Remember password"
Last modified: 2010-12-08 17:51:21 UTC
I have "Remember password" (Edit/Preferences/Mail Accounts/Edit/Receiving Email) unchecked, but Evolution still remembers my IMAP password. See, for example, this tcpdump extract: E..M.D@.@.....*..T.Y......<........?~.......h.!V#o.A00001 LOGIN roy <password elided> I suspect what may be going on is that if you ever check "remember password", it writes it out to some config file, and then unchecking the box doesn't erase it. I have not verified this, but I also believe the same thing is happening with SMTP passwords. This should be treated as a critical security issue.
Thanks for a bug report. Unchecking the option from account preferences is just a hint for Evolution. Maybe it can erase its passwords when this is unchecked, but it's always not doable. Do invoke File->Forget passwords
"Just a hint"? I'm sorry, but that's not a valid response to a security issue like this. When I unchecked that box, my intent was that I was revoking access to my mail until I could re-enter my password. I think any reasonable person would interpret not checking "remember password" as being equivalent to saying "forget password". That you should have to go into some other menu and find an explicit "forget password" command is absurd. I don't understand why erasing the stored password when the box is unchecked is "not doable". I reiterate that this should be treated as a critical security bug. If it's "working as designed", then it's a critical security-related design bug.
Created attachment 176079 [details] [review] evo patch for evolution; When saving changes on an account, and the "Remember password" option differs, then it tries to remove password from the passwords store, thus next start user is asked to enter it again.
Created commit 4b58f11 in evo master (2.91.4+)