Closed
Bug 224080
Opened 21 years ago
Closed 20 years ago
Ability to have master password for password store missing
Categories
(Thunderbird :: Preferences, defect)
Thunderbird
Preferences
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: moz-bugzilla2, Assigned: mscott)
Details
(Keywords: privacy)
This seems to be a Mozilla Mail parity issue. Thunderbird doesn't seem to allow storing a master password before allowing use or storing of stored account passwords.
This is the bug / RFE I was looking for! In general Thunderbird 0.3 seems to contain all of the Mozilla 1.4 or 1.5 features related to mail and news with improved system integration. It is possible the lack of master password support is hidden in one of the Thunderbird extensions (such as Enigmail) but using such an extension seems like the sledgehammer approach if you never encrypt email (I don't). Nonetheless, I would be interested to learn that installing Enigmail restores master password support. I would be *very* interested to learn master password support is actually available but buried or requiring some unusual preference setting. A possibly related issue is the perceived lack of support for encrypting stored passwords. Mozilla 1.4 (the last "trunk" version I used) included two options for protecting stored passwords, Thunderbird has one and I cannot find any information about the chosen approach. Is it the most secure option?
Reporter | ||
Comment 2•21 years ago
|
||
It looks like in Moz you can use just a password or a security device and a password? This seems like it should be visible and in the core product. While, the "IE generation" of users may not use it, it should be easily available and accessible.
Comment 3•21 years ago
|
||
I view this as a major bug.
Comment 5•21 years ago
|
||
I believe you can have a master password, if you enable FIPS; see Tools | Account settings | server | Security | Manage Security Devices.
Sorry for the delay in trying this out. Clicking on "Enable FIPS" in the security Device Manager dialog results in an error: "FIPS mode requires that you have a Master Password set for each security device. Please set the password before trying to enable FIPS mode." I first had to set the password for one of the security modules under the PKCS #11 Module. That module changed its name to "PSM Internal FIPS-140-1 Cryptography" when everything was done but started as "Software Security Device". While I may have been done at that point (doubtful), I was then able to successfully enable FIPS. Knowing that I have entered a master password, I found it very surprising to be prompted for my IMAP account password when starting Thunderbird. All that seems to have changed is that I am also prompted for my module master password before many actions complete. Very annoying and not particulary helpful since I am also (newly) prompted for some of my account passwords as well. I just disabled FIPS and am back to my server IMAP password acting somewhat like a master password (unlocking my password for LDAP and SMTP as well) but with no assurance my passwords are Blowfish encrypted. I would say the original bug stands: Thunderbird (now at 0.5) does not offer a master password that becomes a single key to an encrypted database of account passwords. The options also do not let the user decide how often they should be prompted for their password (master or otherwise) or how individual passwords should be stored (I believe it was Blowfish or something minor before).
Comment 7•20 years ago
|
||
Thunderbird 1.0 has master password settings under advanced. Is this what you were looking to have included?
(In reply to comment #7) > Thunderbird 1.0 has master password settings under advanced. Is this what you > were looking to have included? I cannot speak for Steve but Thunderbird 1.0 meets my needs in this area.
Reporter | ||
Comment 9•20 years ago
|
||
This looks good. I'm not sure where/when it was addressed for the specific patch, but WORKSFORME with 1.0.
Status: NEW → RESOLVED
Closed: 20 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•