Esumsoft Forums

I always assumed, the e-mail account passwords are safely stored and kept encrypted by Pop Peeper. However when I ran "[admin: redacted]" a freeware utility of [admin: redacted], it shows a complete list of all the e-mail accounts and their passwords in Pop Peeper.
How is this possible ??

Hi J.Bruyn and welcome to the Esumsoft Forums!

Given the nature of your topic, I have contacted Jeff (Our Forum Administrator/Software Developer) and asked him to review your inquiry. He, (and other members of the Esumsoft Team) should be stopping-by later to further address the subject you have presented.

In the interim...
As you are a new member of the Forums, The Esumsoft Team requests you review the following:

Information for new users and forum members.

important information is provided regarding the Forums and POP Peeper program which new members need to be aware of, including cautionary notes about personally-identifiable information. Links are also provided to additional resources which explain how to perform a variety of tasks, as well as, the steps to take if you experience problems with the POP Peeper program.

Thank you for your inquiry and best regards,

Passwords are encrypted in POP Peeper. But this is a valuable lesson about encryption -- any program that stores your password that has to use the original (un-encrypted) password can be reverse-engineered. There are products by Mozilla, Google and Microsoft on the same list of passwords that can be recovered.

I ran the program in a VM (with not much software installed) and it found passwords in one of my POP Peeper configurations (and also Google Chrome). So I tried an experiment: I simply renamed the 'poppeeper.ini' file in the default folder and then the program no longer found the passwords. However, I wouldn't go to the trouble of moving POP Peeper's data files, as it would be easy for someone to copy the files to the expected location.

Regardless, I will update the encryption for the next version (likely, v5).


Also, I've edited your post to remove mention of the program. While these types of programs have their legitimate purposes, they are a gray area that I don't feel the need to give attention to.

Hi Jeff,

Thanks for the prompt response. I know any encrypted file can be decrypted in the long run. However reproducing the correct key wil normally take ages. Especially when a complicated master password (key?) is used, as I use for Pop Peeper. I was shocked that the little program (which I'm not allowed to mention the name off), took less then 10 seconds to produce a complete list of all the e-mail accounts from Pop Peeper, Including usernames, mailserver settings, and passwords. It is also bitter that the only passwords found, were in Pop Peeper.
I hope you can resolve this issue in the near future.

Thanks for all the good work!
Greetings, Jan

What you're referring to is known as the "brute-force" approach; ie. trying every single possibility to find the key until the correct one is found. That is not what's happening. There is not a specific key that decrypts the data. The only way to have unlocked the method would be for the developer of that program to actually step through the logic of POP Peeper's code to see what it's doing (I'm not suggesting that they have access to PP's source code, but there are ways to disassemble the executable file) and then duplicate that logic to decrypt the data. It's basically "software cracking" if you're familiar with that term; and all software can be cracked.

Also, this is a very good example of showing the merits of OAuth2. With OAuth2, the password does not need to be stored locally. The downside of Oauth2 is that it is not a "generic" protocol and so it's improbable to ever have widespread use. But if you are using any of the email servers that POP Peeper supports for OAuth2 (Gmail, Outlook.com/Hotmail, Yahoo), then this is a very good opportunity for you to enable OAuth2 and delete your passwords from PP for those accounts.