Open Bug 441889 Opened 16 years ago Updated 2 years ago

Saved passwords function is not working unless signons.sqlite and key3.db files are deleted, or unless saved password is deleted by Password Manager

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
15 Branch
Platform:
x86
Windows 7
Type:
defect

Tracking

(Not tracked)

People

(Reporter: aferreira, Unassigned)

References

Details

(Keywords: steps-wanted, Whiteboard: [workaround in comment 28]) 

User-Agent:       Mozilla/5.0 (Macintosh; U; Intel Mac OS X 10_5_3; en-us) AppleWebKit/525.18 (KHTML, like Gecko) Version/3.1.1 Safari/525.20
Build Identifier: 2.0.0.14 (20080421)

Im using Google IMAP and POP from my mail server.
Almost every time that I open Thunderbird and press Send/Receive I get the prompt to type my password. I check the box to Save Password but it wont work.
I receive my messages as usually but when I close and open Thunderbird it asks sometimes the password.


Reproducible: Sometimes

Steps to Reproduce:
1. Press Send/receive button.
2. Fill the password information with "Save Password" checked.
3. Uses your thunderbird as usually.
4. Close and open your Thunderbird.
5. Repeat Step 1.
Actual Results:  
It asks for my password again.

Expected Results:  
It shouldn't ask anymore.

The time to check for new messages is set for 10 minutes.
I checked if the password is stored in Tools->Account Settings->Privacy->Passwords->Edit Passwords and it is!
There my email account is not in clear text. I mean:
e.g. My email account esilva@intsis.com.br
        The account stored there is esilva%40intsis%2Ecom%2Ebr

Workaround: Dont use "Save Passwords" function.
Marking new based on dups.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Version: unspecified → 2.0
more dupes? bug 469987, bug 488832.
What is the status of this?   I've been struggling with this for years and realized it's been captured since 2009.

If people aren't going to fix remember passwords in Thunderbird, I'd appreciate at least at updated workaround.   Maybe someone can write an Addon called "fix password" that manages this?

At one point, I thought I was able to delete the rogue memorized password and recreate it, but it's locked up again this morning and I can't shake it loose - thanks!
(In reply to tconrad1 from comment #5)
> What is the status of this?   I've been struggling with this for years and
> realized it's been captured since 2009.

Could you test it with a newer version of TB, please? Original post was about using version 2 which us pretty old now.

Anyway, using TB 15 on Ubuntu and not having this issue.

Changing to MacOS X on platform field, as it seems is what user in comment 0 was using,
OS: Windows XP → Mac OS X
Whiteboard: [closeme 2012-10-15]
Javi,

No, this still doesn't work in TB 15.0.1 on Windows 7 (not MacOs for me).   I've been stuck without this working for a *long* time.

I thought that I got it to work once by creating a manual entry in the Firefox password file.  I took a line and edited to what the TB one should look like (I thought).   Then I think I changed it there.  But then the password got lost again and I couldn't reproduce it.   I'm not 100% convinced that this worked though.   I leave TB open for months so once I have the password set (without the "remember" button set, because if I do that, I can't get email), so I can go months without entering a new password anyways.

Summary, TB 15.0.1

- Every time I start TB, I need to enter a password.
- If I check the remember password box, it will *not* connect to email server
- I know it remembered it an old password - when it pops up and displays the *'s, I can just highlight and change the 2 character that I change all the time and overwrite those characters with the current ones and it logs in.  But if I don't change them, it doesn't
- If someone could tell me where to find this stored away password, I would *really* appreciate it.  I just want to delete it.   You guys can fix the underlying bug later.

Thanks,
Tim
Changing to platform All because of Tim comment.
OS: Mac OS X → All
Whiteboard: [closeme 2012-10-15]
Version: 2.0 → 15
(In reply to tconrad1 from comment #7)
> - If I check the remember password box, it will *not* connect to email server
> - I know it remembered it an old password - when it pops up and displays the
> *'s, I can just highlight and change the 2 character that I change all the
> time and overwrite those characters with the current ones and it logs in. 
> But if I don't change them, it doesn't

This seems to point to a problem where the password is not updated. Just to be sure, Tim: the password that appears the first time you retrieve your mail is an old one and, once you change it, it is using the new -correct- one until you check the "Remember the password" check-box or quits TB?

> - If someone could tell me where to find this stored away password, I would
> *really* appreciate it.  I just want to delete it.   You guys can fix the
> underlying bug later.

You can try with the add-on Saved Password Editor.
Javi,

No, not exactly.   It never switches to the new one.  It seems to have this old password that it retrieves from memory.   I know it's that because I only cursor over the characters that I routinely update, change them, and it works for that session.   But it will not work if I check "remember password".  If that is checked, it keeps saying password incorrect.   It's just plain stuck somewhere.

I have the add-on password editor.   That doesn't work (at least as far as finding and editing the email password).   I thought I had fixed it once with that editor by creating a fake entry by hand with the correct login/password, but if it did work, it was only once and later I couldn't get that trick to work (if it ever did).  Same with trying to find and delete it with that tool.  I'm just used to the recipe of uncheck "save" and highlight the black circles with the wrong characters and fix them.  It's a pain though since this worked perfectly for years.  It also works if I retype all the password characters.

So once I have the new password accepted, the session works.   But if I restart thunderbird, it seems that it tries once with the "remembered" incorrect/old password, then brings up the dialog box to take action and redo it.  I've cleared caches and all the obvious things.  I don't know the inner workings of this, but if there was a "flush bad password" option, that would be fine for those of us with it stuck on some old one stored who-knows-where...

Thanks,
Tim
Then, it seems that the password is not updated from its current value.

A workaround that could work for you is to rename signons.sqlite and key3.db to .old (so, adding ".old" to both their filenames, signons.sqlite becoming signons.sqlite.old and so on). This should be done when TB is not running. Then, when restarting Thunderbird, it should ask you again for a password -the field should appear empty now- and recreate both files.
Javi - thanks, that workaround is perfect!   It started me up without a memorized paasword and the new one is kept (I verified by restarting Thunderbird).

Maybe this is minor importance to the Mozilla community, but it was a big problem for me.   It might be good to add your workaround to some FAQ page to make sure others can make use of this.  As I said, if you keep the remember button checked, it would never let you back in to your email, so many people would probably quit using this if it happened.

Thanks!
Tim
Update - Javi's suggestion worked - *until* the system required a password change.   Then it's messed up again.  I'll do the delete and restart, but a clue here suggests it's not the file that is corrupt.

Tim
Can someone please fix this?   I need to come here every three months and figure out which files to delete.  This is awful!   At least add a button called "purge corrupt passwords" please!
Javi's fix still works - but can someone make it so I don't need to delete the app data files once a quarter to use this program?   Something corrupts them (ie, thunderbird).   There must be something more fundamentally wrong here.
(In reply to tconrad1 from comment #13)
> Update - Javi's suggestion worked - *until* the system required a password
> change.   Then it's messed up again.  I'll do the delete and restart, but a
> clue here suggests it's not the file that is corrupt.
> 
> Tim

Just to clarify: by "system" do you mean "mail server"?

As always, in order to fix issue, a replication of it is needed. If people cannot replicate it, it is unlikely to be solved. I am not saying it is just a problem only appearing to you, though.
Javi,

Yes, our mail server requires a password change each quarter.  After that happens, Thunderbird will not update the password such that it automatically logs in unless I delete those files.

I have tried various options to log back in after a password change, including using the Firefox password changer (which works other web sites).  Regardless, the password doesn't get updated and Thunderbird appears to keep sending the old password.   If I enter a new password, but not click the "save" option, I think I can get it to run (but it will later come back with the window to enter the password).

Yesterday, when I did this, it seemed like this was the pattern, if I remember it correctly:

 - I deleted the files you mention
 - I start up thunderbird
 - it asks for the password, I enter it and click to remember it
 - oddly, it came back with the same password panel, and when I went to click on it, it went away and the mail came up.  I was wondering why the password seemed wrong, but it actually was correct because it connected.  Since then, it's remained connected or reconnected correctly.

So if I delete both files, it always works.  I think I'm up to ".bak5" version of them.  The failure seems to be that Thunderbird does not update these files or even accept updates from the Firefox password edit.

Thanks,
Tim
The problem about password not being updated is also on bug 563567. The thing is that I am unsure if all of this is a Preferences problem.

Logins and Password belongs to the Security component. Anyway, this Bugzilla component seems to have become where most of the issues end, either are related to settings or not.

At the official documentation it is noted that the procedure to update password is to delete old pssword and add it the new one. However, on Security/Passords dialog there is no "add password" button.

I have been reading a little bit about interfaces related to passwords and have found that Password Manager was the old Toolkit Service, which didn't provide a way to update passwords. The new one is Login Manager. It provides a function to change the password programmatically: modifyLogin.

I have been comparing both Mozilla browser (on m-c) and Thunderbird (on c-c) and I found no differences at first sight. I will continue to look at this.

Finally, Tim, it is unnceseary to remember us the problem is still there. There are people -7 of them right now- following this bug so it is easy some of them are testing periodically about its resolution. Myself is on that list :)

Thank you for your patience and by not stop using Thunderbird. I hope the issue is going to be solved possitively in the near future.
(In reply to Javi Rueda from comment #18)
> Logins and Password belongs to the Security component. Anyway, this Bugzilla
> component seems to have become where most of the issues end, either are
> related to settings or not.

yes, security is probably the place for these. 

https://bugzilla.mozilla.org/buglist.cgi?f1=short_desc&list_id=11059016&short_desc=password&o1=nowordssubstr&resolution=---&classification=Client%20Software&classification=Components&query_format=advanced&f2=OP&short_desc_type=allwordssubstr&v1=autoconfig&component=Account%20Manager&component=Preferences&product=MailNews%20Core&product=Thunderbird may contain some more duplicates. Can you check them too please?
Severity: minor → normal
Component: Preferences → Security
Whiteboard: [duptome]
actually the granddaddy may be bug 244111, where rsx11m and others have comments
Whiteboard: [duptome]
I am unsure, Wayne. Bug 244111 is about the fact that TB didn't download messages once the correct password was filled.
DO we have a set of steps to reliably reproduce?
Flags: needinfo?(leofigueres)
Keywords: steps-wanted
See Also: → 244111
Summary: Saved passwords function is not working. → Saved passwords function is not working unless passwords unless signons.sqlite and key3.db are deleted
Steps are indicated in comment 0. However, the bug title also describes a workaround, taken from my comment 11.

Since Mozilla 32 it seems that the correct file to delete is logins.json, which replace signons.sqlite. It can be found on the profile directory.

http://kb.mozillazine.org/Password_Manager describes how to re-import data.

I have been unabvle to reproduce this bug on any of my available systems -Ubuntu on a VM and a real OS X- so I cannot tell if it is working.

Tim, could you test this new workaround, please? Thank you.
Flags: needinfo?(leofigueres) → needinfo?(tconrad1)
OS: All → Other
Summary: Saved passwords function is not working unless passwords unless signons.sqlite and key3.db are deleted → Saved passwords function is not working unless signons.sqlite and key3.db files are deleted
Whiteboard: [workaround in comment 11]
OS: Other → Windows 7
OK, next time our corporate password changes, I'll try the new stuff (last time I did the old workaround and it was still working).

Thanks!
Flags: needinfo?(tconrad1)
Guys, this is driving my customer OUT OF THEIR MINDS!  Yes I am shouting.  Please fix this.

By the way, setting the files to read only only works until the next update.   AAAAHHHHHHHHHHHHHHH!!!!!
(In reply to Todd from comment #30)
> Guys, this is driving my customer OUT OF THEIR MINDS!  Yes I am shouting. 
> Please fix this.
> 
> By the way, setting the files to read only only works until the next update.
> AAAAHHHHHHHHHHHHHHH!!!!!

The Document Foundation, home of LibreOffice, has a policy that it is not the responsibility of the core team to fix bugs, rather it is the responsibility of service partners. After all, you are making money supporting your customers, I am not. While this is not currently the formal policy of the Thunderbird project, it is a great idea. So patches are welcome, particularly from people with customers who are being plagued by this.

Perhaps you could investigate this and submit a patch?
1) what does Document Foundation have to do with Mozilla and why do you care what their policies are?

2) I make ZERO off of reporting bugs.  The time I spend reporting and documenting and NEEDINFO costs me DEARLY.

3) The maintainers of signons.sqlite and key3.db are the proper persons to fix this bug, not me.  I am not a programmer and wouldn't have a clue how to go about fixing it.  I can only help troubleshoot it for FREE.

FIX THIS!
Kent, all, I don't want to debate who should fix this, but I would say that there are probably few of us with this problem (who have waited patiently since 2008 for a fix) that can fix this.   I don't know much about these db files, but I do know that the number of people who have a problem and take the time to create an account, document the problem, and do debug on it (eg me) is pretty small and probably represents a significant number of other users who gave up or moved on.

I don't know what Todd above does, but I'm just an email user and it's extremely frustrating to see something like a locked password and not see it get fixed after 7 years....

Tim
There should be some clues here.

found a bad logins.json.

I had Read Only the original logins.json, something screwed up and Thunderbird decided to write to it.  Thunderbird could not, so it created a logins.json.tmp:

{"nextId":2,"logins":[],"disabledHosts":[],"version":1}

The user exited Thunderbird, restarted Thunderbird, Thunderbird re-read the original Read Only logins.json, and happy camping was returned.

The proper one looks like this (I have removed the passwords and replaced them with "abc"):

{"nextId":2,"logins":[{"id":1,"hostname":"smtp://smtpout.secureserver.net","httpRealm":"smtp://smtpout.secureserver.net","formSubmitURL":null,"usernameField":"","passwordField":"","encryptedUsername":"abc","encryptedPassword":"abc","guid":"{aacfc240-3394-4937-868c-93f3cd92c746}","encType":1,"timeCreated":1449168460221,"timeLastUsed":1449168460221,"timePasswordChanged":1449168460221,"timesUsed":1}],"disabledHosts":[],"version":1}

All of the above troubleshooting was done for FREE.
Whiteboard: [workaround in comment 11] → [workaround in comment 28]
Guys !!!!

One of my customer's five facilities has to send out 640 invoices at the end of every month.  If I am not around to remote into their system to fix this, they have to enter the password 640 times.  Reentering the password and pressing save password doesn't work unless I delete those two files.  And that procedure is over their technical expertise.

***  I CAN NOT BEGIN TO TELL YOU HOW ANGRY THE CUSTOMER IS OVER THIS !!!  ***  You would be too.

I have plenty of before and after stuff to send you, must must send you privately. YOU ARE THE MOZILLA FOUNDATION, NOT MICROSOFT OR OPEN OFFICE!  YOU FIX THINGS!

Please stop dragging your butts and fix this.
(In reply to Todd from comment #30)
> By the way, setting the files to read only only works until the next update.

How does setting the files to read only helpful? 
What else must be done to make this an effective (temporary) workaround?
By update - do you mean Thunderbird update?  
What happens to the files on update? (Seems to me Thunderbird shouldn't be touching them)
Flags: needinfo?(ToddAndMargo)
Thank you for helping me with this.  My customer is really, really **** (an understatement).

(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #37)
> (In reply to Todd from comment #30)
> > By the way, setting the files to read only only works until the next update.

Depending on the update, I have had the installer remove the "read only" tag from "logins.json" and "session.json".  It does not always happen.

> 
> How does setting the files to read only helpful? 

It takes about five times as long for the issue to reappear.  When it does, I find Thunderbird has created "logins.json.tmp" and "session.json.tmp" files.  Erasing the tmp files does no good either.  I have to erase "logins.json" and "session.json" as well and reenter and resaving the outgoing password.

> What else must be done to make this an effective (temporary) workaround?

I have to erase "logins.json" and "session.json" and logins.json.tmp" and "session.json.tmp" as well and reenter and resave the outgoing password.

> By update - do you mean Thunderbird update?  

I couldn't find the remark.  I presume I was referring to re-entering and re-saving the outgoing password.  If I do not erase those two files (or four files), the password has to be entered each and every outgoing mail.  The mail will go out each time the password is re-entered.  Clicking save has no effect.

> What happens to the files on update? (Seems to me Thunderbird shouldn't be
> touching them)

If you mean Thunderbird update, normally nothing, unless the installer resets the read only flags on those two files.

I have before and after of these files, if that helps.

Why won't clicking "save" update these files unless I erase them and start over?
Flags: needinfo?(ToddAndMargo)
(In reply to Todd from comment #38)
> Thank you for helping me with this.  

sure. bear in mind I no expertise in this area. but let's investigate and try to bring in the right people


> Why won't clicking "save" update these files unless I erase them and start over?

Someone on IRC speculated "when password needs to be updated every three months, it looks like an enterprise install... there's probably some group policy that prevents the file from being updated/write"
Just fixed a guy on 45.3.0, Wind7 Pro x 64, Go Daddy (secure server), iMap and SMTP.  Thunderbird properly stored his iMap password, but this bug nailed his outgoing eMail.  It would not save his SMTP password and prompted every time he went to send a message.
FYI.
Following is copy of Bug 855373 Comment #2. Following is description on POP3, but it's applicable to SMTP server too. Some SMTP servers immediately close connection just after login failure or just after succesful QUIT completion.

*** copy of comment ***

There are known unplesant server behaviours after login failure by password error and not-so-well setups around login.

(a) Server closes connection immediately.
    Tb doesn't clear saved password immediately by the login error,
    because there is no way to know "login failure is by wrong 
    password", and in order to avoid "account deactivation by server
    due to too many login attemps by other reason than wrong password".
    And, saved password is cleard and new password is saved after
    successfull login by newly entered password.
    In POP3, Tb has problem of "connection kill by server just
    after loign failure is not well processed". So, Tb requests
    CAPA command and waits for CAPA response in order to retry with
    newly entered password, and it fails again because of timeout.
    In this case, because saved password(wrong password) is not
    cleared yet, same thing happens again.

(b) Server advitises wrong login methods.
    When multiple login methods are advertised by server(call loginA
    and loginB), Tb tries other method when first method fails.
    If first loginA fails by wrong password, because there is no way to
    kow reason why login fails, Tb tries loginB.
    If the advertised loginB is not supported by server, loginB with
    saved(wrong) password also fails.
    In such case, if server closes connection because of "continuous
    login attempts failure", same thing as (a) happens.
    "non supported loginB" is server side configuration error. 

In any of above, "clear password by Password Manager in Tb" works well, unless account is deactivated due to "multiple login failure by wrong password".
Severity: normal → major
(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #39)
> Someone on IRC speculated "when password needs to be updated every three
> months, it looks like an enterprise install... there's probably some group
> policy that prevents the file from being updated/write"

Todd, have you investigated this theory? Are you able to write to the logins.json file manually using some editor while TB is closed (of course backup the file)?
(In reply to :aceman from comment #43)
> (In reply to Wayne Mery (:wsmwk, NI for questions) from comment #39)
> > Someone on IRC speculated "when password needs to be updated every three
> > months, it looks like an enterprise install... there's probably some group
> > policy that prevents the file from being updated/write"
> 
> Todd, have you investigated this theory? Are you able to write to the
> logins.json file manually using some editor while TB is closed (of course
> backup the file)?

I will have to wait for one to screw up again.

If it helps, I can easily delete and/or rename the thing
Summary: Saved passwords function is not working unless signons.sqlite and key3.db files are deleted → Saved passwords function is not working unless signons.sqlite and key3.db files are deleted, or unless saved password is deleted by Password Manager

(In reply to Todd from comment #44)

(In reply to :aceman from comment #43)

(In reply to Wayne Mery (:wsmwk, NI for questions) from comment #39)

Someone on IRC speculated "when password needs to be updated every three
months, it looks like an enterprise install... there's probably some group
policy that prevents the file from being updated/write"

Todd, have you investigated this theory? Are you able to write to the
logins.json file manually using some editor while TB is closed (of course
backup the file)?

I will have to wait for one to screw up again.

Todd (from bug 1170331), and Tim,
Do you still see this issue when using a current version?

(reporter's address, Adolfo, bounces)

Flags: needinfo?(ToddAndMargo)

unfortunately, I no longer have assess to the customers machine. I am also at a loss to figure out how to reproduce this as the weird key3.db and logins.json are no longer available. I can state this, I haven't heard any complaining from the customer for well over a years, so I presume this is no longer an issue and believe me, I would definitely hears about it!

Flags: needinfo?(ToddAndMargo)
Severity: major → normal

This bug still extists in the current version and it is sooo annoying.

We are using in TB in our office, where we are requested to change our password regularly.
And I still often have Thunderbird clients where people tell me that TB nags them to enter their password again and again after they changed it.

Severity: normal → S3
You need to log in before you can comment on or make changes to this bug.