Closed Bug 1832524 Opened 2 years ago Closed 2 years ago

Primary Password can be skipped on Windows (10)

Categories

(Thunderbird :: Untriaged, defect)

Product:
Thunderbird
Component:
Untriaged
Version:
Thunderbird 102
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 1566458

People

(Reporter: yojekem325, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/113.0

Steps to reproduce:

This issue has existed for at least a year with Windows 10 64bit and on two separate machines I own. Also exists with the latest 102.11.0 release.
Issue does NOT exist on Linux (Mint, latest LTS), Firefox version 102.10.0.

Actual results:

On Windows 10, if you set up a primary password for Thunderbird, each time you launch the Thunderbird program, you can either keep closing the primary password prompt window, or keep entering a wrong password, eventually the main window will appear, and although you will keep getting prompted to enter a password, you can go ahead and check the email addresses associated with Thunderbird and even see the email list.

Expected results:

Instead, like on Linux, the main window should not appear until a correct password is entered.

Two corrections:

  1. Upon further testing, the issue also exists on Linux.

The best way to reprroduce is to keep hitting Exit button on your keyboard when the password prompt window is active to close it. Only after few attempts the main window will open, without you having enterted the password.

  1. You can not only see all email addresses and emails list, but even read the contents of the emails this way.

So to summarize, the Primary Password is completely broken, since anyone can access Thunderbird without knowing the password, and at most they will keep getting annoyed with requests to enter password which they can close each time.

The primary password is designed to protect only the passwords, not local cache.

Group: mail-core-security
Status: UNCONFIRMED → RESOLVED
Closed: 2 years ago
Duplicate of bug: 1566458
Resolution: --- → DUPLICATE

Okay. thanks

Please consider either adding a pop-up hint text, small grey hint text which explain that it is in fact not a primary program password, or maybe consider renaming it to "Primary login password" or something else.
I'm sure it seems intuitive to you, but I'm willing to bet that's not what the average user assumes by "primary password" and the average user doesn't really check the whole manual before using the product, especially for features which seem clear to them.

Thanks

Two things add more confusion to this:

  1. How the program main window doesn't open if you keep typing the wrong password, but it gladly opens when you press Escape or Cancel. The Behavior should be consistent. If Thunderbird is not at all trying to prevent you from viewing emails, why does it never open the main window in the first case? Gives the completely opposite idea by doing so.

  2. If you press Escape or Cancel on the primary password prompt window, the window just keeps reappearing. Why would I close a window if I expected it to reappear in an instant? Persistent prompt windows are usually only done when the user is being prevented from accessing something further, but here we aren't really. A more logical approach seems to be to either not keep toggling the password input window when the user has explicitly clicked on Cancel, or more preferrably, to just close Thunderbird altogether.

You need to log in before you can comment on or make changes to this bug.