Mark Quinn pointed out back in August, that the imap authentication plugin suffered from a rather serious security risk. If you knew that a site was using it, you could create cookie that would let you in without having to know a user’s real password. (You did have to know a valid user’s account name).
So I’ve added a Secret Key to the imap options. This key is used to secure the cookie that is created, and will make it almost impossible for outsiders to create cookie to fool wordpress into letting them in. Users with a valid cookie (but they want to fake a login as a different user) will have to do a time consuming brute force attack of their own cookie to determine the Secret Key. (which they could then use to create a valid login cookie for another user account)