Want CNET to notify you of price drops and the latest stories?

Eudora security vulnerable

Qualcomm is warning users of its popular email software not to save their passwords because of programs designed to decrypt them.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
2 min read
Qualcomm is warning users of its popular Eudora email software not to save their passwords on their computers thanks to the ease with which programs can be designed to decrypt them.

One such program, known as Eudpass.com and available on the Web, can decrypt Eudora passwords saved on Windows-based computers. Macintosh computers are similarly vulnerable, according to Qualcomm, but not to that particular program.

John Noerenburg, Eudora's director of technology, initially denied knowledge of the Eudpass.com program, but later confirmed its existence. He said that Eudpass.com was the only such program known to Qualcomm.

"Eudpass.com is reading the INI file and finding the password entry. It runs a symmetric algorithm...and decrypts the password," said Noerenburg.

INI, or initialization files, store configuration information about the user's preferences and operating environment. The equivalent on the Macintosh is the "settings" file.

Noerenburg warned that users should not opt to save their passwords and noted that the default setting on Eudora requires the user to enter the password each time the program is opened.

"Saving the password in Eudora is really a very foolish thing to do," he said. "The only reason we allow it at all is that some users have demanded it so strenuously."

Noerenburg said users are primarily at risk if their computers are not physically secure, but that access through networks is also possible. "But the likelihood is very small," he added.

One Eudora user expressed hope that Qualcomm would solve the problem by using stronger encryption.

Qualcomm could beef up the level of encryption, according to company spokesman Tracy Crowe, but has chosen not to do so. He said taking such action would make the program more cumbersome to use, and the government's current restrictions on exporting strong encryption could create havoc for multinational companies using differently encrypted versions of the software.