Closed Bug 278454 Opened 20 years ago Closed 15 years ago

Blank passwords not saved properly

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED INCOMPLETE

People

(Reporter: spencer, Unassigned)

References

Details

(Whiteboard: closeme 2009-04-25) 

I have Thunderbird set up as an IMAP client on an internal network. For 
reasons beyond my control, IMAP users do not have passwords. 

When I access a folder through Thunderbird, I am prompted for a password. 
Leaving the field blank, checking "remember this password" and hitting OK 
allows access. This also creates an entry in the password manager for the 
username/server combination, as seen in Options->Advanced. 

The trouble is that after Thunderbird is restarted (or another Folder on the 
same server is accessed) the user is prompted for the password again. As long 
as the connection is maintained, no password is needed, but the creation of 
any new connection requires the password, even though "Remember password" is 
consistently checked off.
(In reply to comment #0)
   Problem occurs with POP3 account access also. My IT dept uses NO passwords on
purpose. Result: I save user name and blank (null) password--so tbird demands I
enter the password everytime I try to get mail from server. I must click the
button with no password entered just to get mail. Info is saved properly, it's
just that tbird thinks 'NULL password' means 'PWD must be entered'. I think a
pref to allow BLANK/NULL passwords would solve this.
   WORKAROUND: On a whim, I simply entered a single blank space when asked for
the password--now it gets my mail from POP3 server just fine, as if ' ' is my
password. It's rather inobvious, so I hope a fix can eventually be made.


This is an automated message, with ID "auto-resolve01".

This bug has had no comments for a long time. Statistically, we have found that
bug reports that have not been confirmed by a second user after three months are
highly unlikely to be the source of a fix to the code.

While your input is very important to us, our resources are limited and so we
are asking for your help in focussing our efforts. If you can still reproduce
this problem in the latest version of the product (see below for how to obtain a
copy) or, for feature requests, if it's not present in the latest version and
you still believe we should implement it, please visit the URL of this bug
(given at the top of this mail) and add a comment to that effect, giving more
reproduction information if you have it.

If it is not a problem any longer, you need take no action. If this bug is not
changed in any way in the next two weeks, it will be automatically resolved.
Thank you for your help in this matter.

The latest beta releases can be obtained from:
Firefox:     http://www.mozilla.org/projects/firefox/
Thunderbird: http://www.mozilla.org/products/thunderbird/releases/1.5beta1.html
Seamonkey:   http://www.mozilla.org/projects/seamonkey/

version 1.5 Beta 1 (20050927)

Just confirming that BLANK passwords are still not handled properly in the
latest beta of tbird. 

When user name without a password leaves the PWD challenge space empty and
clicks the "Use Password Manager to remember this password" there is indeed an
entry stored for the user name.  However, all subsequent POP3 mail fetches for
that user name are still challenged for a password--as if the null password is
not being sent to the mail server, and user must click OK to get mail.  However,
if I enter a space character as the password (even thought there is NOT a
password, tbird will work correctly and fetch mail from the server.  I'd think
that a PWD of a single space, where NONE is required, would cause the server to
reject it.  So, it seems that tbird requires a space to represent NO password,
and perhaps strips it out before sending a request to the server to send mail.
QA Contact: general
This bug persists in Thunderbird version 2.0.0.6 (20071022) as built and made available by the Ubuntu community, and on Windows version 2.0.0.9 (20071031).

This bug is especially annoying when using an LDAP directory for address book auto-completion. The LDAP server we use contains no password, as it is especially unnecessary for a global addresses book. Every new email composed will prompt for the blank password if you allow Thunderbird to attempt an auto-completion on an email address.

Also, a space character is not accepted as a blank password on some protocols or protocol implementations, such as our LDAP server.
Assignee: mscott → nobody
Do you see problem using thunderbird 2? Or, better yet, please check Thunderbird 3 beta 2**?

If you do, please see the problem comment.
If you do not, please close the bug with resolution WORKSFORME (or some appropriate resolution, but not FIXED)

** Beta 2 has big fix of Bug 239131 Thunderbird should use the new password manager, which includes numerous improvements
http://www.mozillamessaging.com/en-US/thunderbird/early_releases/
(suggest you backup your profile before using beta release)
Component: General → Security
Whiteboard: closeme 2009-04-25
QA Contact: general → thunderbird
RESO INCO due to lack of response to last comment. If you feel this change was made in error, please respond to this bug with your reasons why.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → INCOMPLETE
Thunderbird 2 has same problem, as described in Bug 436085 ...
So there is no chance, that it will be fixed in 2.x branch ?
(In reply to comment #8)
> Thunderbird 2 has same problem, as described in Bug 436085 ...
> So there is no chance, that it will be fixed in 2.x branch ?

Not really the 2.x branch is in maintainance mode and will get security fixes. The good news for you is that we are only a few weeks away from Thunderbird 3.0b3 which should be the last beta before 3.0 is released. You should give a try to 3.0b3 when it gets out.
You need to log in before you can comment on or make changes to this bug.