Closed Bug 231261 Opened 21 years ago Closed 15 years ago

RFE: Lockout with Master Password Authentication


(Thunderbird :: Mail Window Front End, defect)

Not set


(Not tracked)



(Reporter: raccettura, Unassigned)


Email is typically considered a very private thing.

Mozilla/Thunderbird has a password manager, that can require a password to
retrieve mail, and digitally sign.  But even if you don't enter that password,
you can still use the app and browse what's downloaded, or in the sent folder.  

A better behavior to keep curious eyes out, is the option to require the master
password for the password manager on startup.  If correct, then no passwords
required to do anything when logged in (provided Mozilla/Thunderbird knows
them).  On fail.  Close the App.

IIRC Netscape 4.x had this functionality.  If you used PKCS#11 module to secure it.

Granted, the data files are still in the profile folder, and insecure (there is
a bug to encrypt them I believe). 

The advantage of doing this is:
-  One password on load, and it's a fluent app, no need to enter password to
recieve, send, sign/encrypt.  1 password.
-  Better security against curious eyes.
-  Combined with Bug 184947, it would provide a much enhanced security model for
Thunderbird in particular.  

For example, my thinkpad has one of those embedded security chips.  I could
easily attach a fingerprint auth device such as
(, and hook that up to
IBM's embedded security software.  And sue that PKCS#11 module in Thunderbird. 
I would then require a fingerprint to get into mail.  Rather than use a password.

More secure, and much simpler, and flexible.
Would be very usefull if mutliple people are using thunderbird on the same pc,
and still want their private profile.
Could be related to Bug 16489
QA Contact: front-end
Assignee: mscott → nobody
fixed I think with bug 239131 in TB3.  (but app is not closed on failed pwd)
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.