224080 - Ability to have master password for password store missing

Status: RESOLVED WORKSFORME

(Thunderbird :: Preferences, defect)

Description

[Steve Wardell]

This seems to be a Mozilla Mail parity issue. Thunderbird doesn't seem to allow
storing a master password before allowing use or storing of stored account
passwords.

Comment 1

[drb24]

This is the bug / RFE I was looking for!  In general Thunderbird 0.3 seems to 
contain all of the Mozilla 1.4 or 1.5 features related to mail and news with 
improved system integration.  It is possible the lack of master password 
support is hidden in one of the Thunderbird extensions (such as Enigmail) but 
using such an extension seems like the sledgehammer approach if you never 
encrypt email (I don't).  Nonetheless, I would be interested to learn that 
installing Enigmail restores master password support.  I would be *very* 
interested to learn master password support is actually available but buried 
or requiring some unusual preference setting.

A possibly related issue is the perceived lack of support for encrypting 
stored passwords.  Mozilla 1.4 (the last "trunk" version I used) included two 
options for protecting stored passwords, Thunderbird has one and I cannot find 
any information about the chosen approach.  Is it the most secure option?

Comment 2

[Steve Wardell]

It looks like in Moz you can use just a password or a security device and a
password? This seems like it should be visible and in the core product. While,
the "IE generation" of users may not use it, it should be easily available and
accessible.

Comment 3

[David Barr]

I view this as a major bug.  

Comment 4

[Steve Wardell]

Can a target be assigned to this major issue?

Comment 5

[Calum Mackay]

I believe you can have a master password, if you enable FIPS; see Tools |
Account settings | server | Security | Manage Security Devices.

Comment 6

[drb24]

Sorry for the delay in trying this out.  Clicking on "Enable FIPS" in the
security Device Manager dialog results in an error: "FIPS mode requires that you
have a Master Password set for each security device.  Please set the password
before trying to enable FIPS mode."

I first had to set the password for one of the security modules under the PKCS
#11 Module.  That module changed its name to "PSM Internal FIPS-140-1
Cryptography" when everything was done but started as "Software Security
Device".  While I may have been done at that point (doubtful), I was then able
to successfully enable FIPS.  Knowing that I have entered a master password, I
found it very surprising to be prompted for my IMAP account password when
starting Thunderbird.  All that seems to have changed is that I am also prompted
for my module master password before many actions complete.  Very annoying and
not particulary helpful since I am also (newly) prompted for some of my account
passwords as well.

I just disabled FIPS and am back to my server IMAP password acting somewhat like
a master password (unlocking my password for LDAP and SMTP as well) but with no
assurance my passwords are Blowfish encrypted.  I would say the original bug
stands: Thunderbird (now at 0.5) does not offer a master password that becomes a
single key to an encrypted database of account passwords.  The options also do
not let the user decide how often they should be prompted for their password
(master or otherwise) or how individual passwords should be stored (I believe it
was Blowfish or something minor before).

Comment 7

[Doug Wright]

Thunderbird 1.0 has master password settings under advanced. Is this what you
were looking to have included?

Comment 8

[drb24]

(In reply to comment #7)
> Thunderbird 1.0 has master password settings under advanced. Is this what you
> were looking to have included?

I cannot speak for Steve but Thunderbird 1.0 meets my needs in this area.

Comment 9

[Steve Wardell]

This looks good. I'm not sure where/when it was addressed for the specific
patch, but WORKSFORME with 1.0.