> The app downloads your emails into their server.

They need to do that to back up the emails. The product may not be something you are interested in, but it doesn't mean the execution is flawed.

> Yes, they store that actual password. Which is ridiculous.

They have to in order to retrieve the emails. Blame the standards!

> Yes, good for them for that, but still there are others where they store passwords. And that is not acceptable.

See above

> But that also means that they outsource the security part of things.

> Which doesn't lend faith to the idea that they know about security.

> And if someone realises how to control their application, all the passwords will be hacked.

This isn't something with a black and white answer and I respect your opinion on this. I personally feel that they may know plenty about security and have decided that this is the most secure option. For example, I wouldn't write my own crypto, because I know enough about security to know how hard it is to do right.

How do you recommend that they regularly backup a user's email messages without storing that user's login credentials for that email service?

they can't, unless the email service gives them oauth.

and even then allowing a 3rd party to backup your emails is a very dangerous thing to do. they say that credit card is more dangerous, i say no. for credit cards you can claim fraud.

when your email gets hacked, potentially your whole digital life is gone

Then what you need to write is, "I think that unproven email backup services are a bad idea", not, "these guys are idiots because they store a retrievable copy of your email credentials" which is necessary for the service that they are providing.

what they could have done is to allow users to autoforward their emails over to their servers or something. not impossible, but i'm not their employee and i'm not responsible for thinking up business strategies for them.

so yea. not necessary

You can only archive incoming e-mails via autoforward, not drafts and not outgoing email (unless you use their mailservers, which is something completely different). If I want archiving for my e-mails, I have to give up my account credentials. You could actually do sufficient mischief with the archived e-mails, you don't need the account credentials in the first place. That sucks, but it's not their fault, this kind of service is inherently insecure.

Now, if you can demonstrate that this particular company has a particularly unsafe way of storing the passwords or the retrieved e-mails, then you're getting closer to having a valid point.

So what you're saying is that they should limit their market to those users that can successfully set up email forwarding, solely because storing passwords is bad.

Part of the service they're offering is that they'll restore the contents of your mailbox in case of accidental or malicious deletion. I have

    mail:/var/mail/associatedtechs.com/rob@associatedtechs.com# find . | wc -l
    24846

...almost 25,000 messages in my mailbox. How do you recommend that they restore 25,000 messages to my mailbox without my account credentials?

and by storing the passwords, they are putting their users at risk. and we are in an era where email security means more than anything. it means access to all your services.

they should go think about how they can design a service securely before offering it.

your argument is similar to: "it is impossible to design a bank that can be kept 100% secure from bank robbers, therefore we shouldn't use banks"