Closed
Bug 1339766
Opened 8 years ago
Closed 8 years ago
Masterpass is amnesic and bypassable
Categories
(Thunderbird :: Security, defect)
Tracking
(Not tracked)
RESOLVED
DUPLICATE
of bug 318697
People
(Reporter: romarain.pc, Unassigned)
Details
User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/51.0.2704.79 Safari/537.36
Steps to reproduce:
(my software is in French so please excuse possible translation mistakes)
1. Open Tools>Option, go in Security>Password
2. Check "Use a masterpass".
3. Define it, apply the changes.
4. Close Thunderbird and reopen it.
Actual results:
1. The masterpass popup is opening at start.
2. The popup refuses my password, and reask it constantly.
More, a friend of mine discovered a breach :
3. If we click on "ABORT" repetitively very quickly (20x at least), the popup disappear.
4. And Thunderbird continues to work.
Expected results:
1. The popup should accept my password, and give me access to my e-mail accounts directly.
2. The popup shouldn't disappear when we click on "ABORT".
Comment 1•8 years ago
|
||
What you have stated is a common misunderstanding of the purpose of master password.
The master password is designed only to protect passwords you have saved, not to protect your mail. Your mail is just like any other data on your OS account, it is your responsibility to secure that data with OS and other security tools like any document or file on the computer. See also https://support.mozilla.org/t5/Basics/Protect-your-Thunderbird-passwords-with-a-Master-Password/ta-p/14829
Please see bug 318697 comment 60
Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 8 years ago
Resolution: --- → DUPLICATE
Reporter | ||
Comment 2•8 years ago
|
||
Ok, so if I activate the masterpass of TB, it's okay if :
- He doesn't accept my masterpass at opening.
- And we have to click tens times on ABORT to bypass it (and not only one time) ?
Please read comments entierely, especially if people make the effort to do clear bullet-lists.
By the way, the misunderstanding is due to your semantical definition of a masterpassword. But YOUR definition is not the one of others. My one is "A masterpass opens the door of multiple functionalities".
For example, the LastPass extension (strongbox) has the role to keep all our passwords : so, in this paradigm, passwords are functionalities, and the masterpass open the door of these functionalities.
In Thunderbird, the passwords of each e-mail accounts can be memorized and re-entered automatically. To protect this functionality (and all sub-functionalities), and avoid anyone to access them (as in LASTPASS !!), we can set a masterpass.
I know there is a subtle difference with strongboxes, but it is finally the same purpose : avoiding the access !
So, taking people for fools when YOU believe that they are stupid to ask a WELL-WORKING masterpass is stupid : because even if they haven't understood that "the TB masterpass is a bit different and protect only the connections between accounts and servers, but accept to display the UI", it does not give you the right to say that they don't have understood the concept of A MASTERPASS.
Because masterpass in TB is different from all other forms of masterpass that people are used to know. At least you could have explained it more efficiently in the option panel of TB, instead of giving dead lessons.
So, in this perspective, please accept that I ask you again if you have correctly read my bug-report, wich expose at least one big bug : your masterpass is buging in my TB v45 ! (and a friend of mine has the same problem).
Comment 3•8 years ago
|
||
> - And we have to click tens times on ABORT to bypass it (and not only one time) ?
Sorry I did not address this point, which is in fact a valid bug. Yes, everyone is in the same boat - I also experience that problem. It is covered in bug 1180374 and a series of related bugs, of which one is actively being addressed. There's not much else to be said - the problems are very well understood.
Until it is fixed you may want to take a look at https://addons.mozilla.org/en-US/thunderbird/addon/startupmaster/ and https://addons.mozilla.org/en-US/thunderbird/addon/master-password/ I do not use them and cannot speak to how well the work.
Reporter | ||
Comment 4•8 years ago
|
||
And the point #1 of my EXPECTED bullet-list ?
Quote :
1. The popup should accept my password, and give me access to my e-mail accounts directly.
Or the same point, exposed in the ACTUAL RESULT :
2. The popup refuses my password, and reask it constantly.
?
Comment 5•8 years ago
|
||
Valid points and again these are all covered under existing bug reports. Sorry, but I do not have more time to discuss this with you. Again, the problems are very well understood and documented.
You need to log in
before you can comment on or make changes to this bug.
Description
•