2

The situation comes down to this:

  • When I enter in hotmail, it retrieves my messages connecting to other providers: they could only do so by using my email and password.
  • Since I had signed in a couple of days ago, I do not need to put my email/password again: hotmail doesn't know any secret about me/this specific session.

From these points, I can only infer:

  • They store a master password derived from my original password in my cookies. Thus, when I come back, they use that to decrypt the emails.
  • They have it stored using a master, per-site password.

However, both of the solutions seem really weak. Any idea on how to implement a secure, cookie persistent connection and encrypting passwords?

Note: please read this question from me about why I'm saying encrypt and not hash passwords.

Francisco Presencia
  • 685
  • 1
  • 6
  • 20
  • 3
    I'm not sure why you think it's "not in the database". I'm pretty sure it is, because they retrieve the mail for you all the time, even if you log in from another computer. – David Jul 15 '14 at 22:50
  • I'm just saying that there's the possibility that the master passwords is derived from my main password and stored in cookies; so it can be retrieved from cookies OR when I log in. – Francisco Presencia Jul 16 '14 at 06:49

3 Answers3

1

You seem to talk about two different things: retrieving mail and encrypting mail. From reading the question I think encryption is not what this is about. So for now I forget about it.

When you login to Hotmail or Gmail via your browser, you use your login. It looks like you have more email addresses and possibly popboxes. Now it depends on how you setup those other addresses.

Example

  • Hotmail: fpresencia1990@hotmail.com
  • Alias: presencia2@myprovider.com
  • Popbox: franpres22198@myprovider.com

The alias forwards mail sent to it automatically to the forward address. This can be the popbox by the same provider, or it can be any other address like your hotmail. The popbox now has an ugly name. It could have a nice name as well, or the same name as the alias, in which case the alias would not exist.

Situations

  1. The alias forwards to Hotmail directly - no login required by Hotmail.
  2. The alias forwards to the popbox, which forwards to Hotmail - no login required by Hotmail.
  3. The alias forwards to the popbox, and Hotmail fetches the mail from the popbox by pop3. Hotmail needs the popbox login, which you enter only one time, and stores this permanently on its own servers. Nothing is stored in a cookie on your computer. You can check this by logging into Hotmail on another computer where you never used to enter the popbox credentials.
SPRBRN
  • 7,449
  • 6
  • 35
  • 37
  • *Hotmail needs the popbox login, which you enter only one time, and stores this permanently on its own servers* **This is exactly what I meant to say**. How do they store my credentials securely on its own server? That was my question, I'm sorry for making it confusing – Francisco Presencia Oct 16 '14 at 18:24
  • I have no idea how they store it, but if they encrypt it, they have to be able to decrypt it as well to use it. – SPRBRN Oct 16 '14 at 21:59
  • That was basically the question, what method/way do they use to encrypt/decrypt them... – Francisco Presencia Oct 16 '14 at 22:09
  • 2
    How would I know? You can only hope that they will encrypt it, and that they will alert you to change passwords when the database is stolen. – SPRBRN Oct 17 '14 at 07:42
  • If in doubt, assume they don't encrypt it. – Josef Feb 04 '16 at 13:01
0

Are you asking how one email service provider can collect and cosolidate mail from other services into one mail box? Well, pretty much the same way you yourself login in most services: no they don't store your password on their end or in cookies. They store session ID or other security token instead.

Just like your browser gets such token on login and sends it back to site to allow you to login next day without typing your name and password, collecting service can use such token to issue commands to other email providers on your behalf after authenticating just once.

Oleg V. Volkov
  • 799
  • 5
  • 11
0

When you log into Hotmail through a web browser, it retrieves any email associated with that mail-box. Even if you've specifically set up email forwarding, aliasing or mail-box integration, then it is only ever connecting and authenticating to one server and one mail-box.

When you specifically link your mail-box with another mail-box (or address in the case of aliasing) , services like Hotmail used to enable cross-account identities which would allow you to switch between or gather emails from your different mail-boxes. (They have since stopped this because it was a minor security issue.)

I'm not sure about the validity of cross-service mail-boxes (For example a Hotmail account integrated with a Gmail mail-box.) It doesn't seem possible to me (without setting up mail forwarding or consistent authentication by the client or the host service provider. Microsoft in this case, would need to validate your connection to Gmail every time it wanted to retrieve your mail and it would need to do this with a plain-text password.)

However, if you have an independent mail application and have set up mail-box integration between services , providing authentication for all of them, then this simply uses your authentication information for each service when retrieving mail.

Corinthius
  • 11
  • 1