Closed
Bug 233410
Opened 21 years ago
Closed 16 years ago
Thunderbird password manager does not ask for master password but still logs in to IMAP and POP3
Categories
(Thunderbird :: Preferences, defect)
Tracking
(Not tracked)
RESOLVED
WORKSFORME
People
(Reporter: jneuhalfen, Unassigned)
Details
User-Agent:
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.0; en-US; rv:1.5) Gecko/20031007 Firebird/0.7
When I start Thunderbird my eMail is checked automatically. This is exactly
what I want but I do no get asked for the master password. To me it seems that
Thunderbird "bypassed" the password (and from that I assume that thunderbird
does not _encrypt_ but _obscurify_ the passwords :-( )
I understand that my passwords are stored in the "Software Security Device". I
can log in there with my password.
This bug is not filed under NSS because NSS as a library works in all other
applications so I assume the problem is with thunderbird.
I file this bug as major because it is a major security problem.
BTW: I have Firebird 0.7 running and using the same password for the password
manager.
PS: I _love_ thunderbird :-)
Reproducible: Always
Steps to Reproduce:
0 1. Tell thunderbird to remember passwords
0.2. Get the email to store the password
0.3. close thunderbird
1. Open thunderbird - my email gets retrieved from the server
Actual Results:
No "Password for security device" question
Expected Results:
I expect thunderbird to aske me for my password.
|
||
Comment 1•21 years ago
|
||
are you sure you set one?
Master PWD works great here. There is no way we can get passwords out of the
password database if you set a master password. We can't decrypt them without it.
It's quite possible your PWD is set to blank or empty string.
|
Reporter | |
Comment 2•21 years ago
|
||
Hi Scott,
thank you for your quick reply :-).
I made sure that neither Thunder- nor Firebird nor Mozilla were runnig,
then I started Thunderbird. The first thing it does is to check my eMail,
then I took some "screenshots" (see below).
> .... There is no way we can get passwords out of the
> password database if you set a master password. ...
How can I enable the master-password? I thought that it was enabled
by assigning a password to the "Software Security Device" ( as it works
in Firebird).
The master-password is 9 characters, mixed numbers,alpha and "special chars".
It is the same password used in firebird.
********************************************
A/B/C means: follow options named A B, then C
[BLA] means: Screen with the caption BLA
*
* Manage passwords
*
Tools/Options/Advanced/Manage Passwords
[Password Manager]
Password Manager has saved login information for the following sites
|Site | Username |
-------------------------------------------------+
| imap://JNeuhalfen@mail.akkaya.de | JNeuhalfen |
| mailbox://1234567@mail.gmx.net | 1234567 |
| smtp://1234567@mail.gmx.net | <> |
+------------------------------------------------+
*
* Account-options
*
Tools/Account Settings/[Jneuhalfen@akkaya.de]/Security
[Security]
(no certificates selected)
Manage Security Devices
(I will write all enabled buttons right to the option)
If nothing is selected I can "Load" and "Enable FIPS"
[Device Manager]
* NSS Internal PKCS #11 Module Load Unload Enable_FIPS
+-- * Generic Crypto Subsystem Status: "ready", Load, Enable_FIPS
+-- * Software Security Device Status: "not logged in", LogIn, ChangePw Load,
Enable_FIPS
* Builin Roots module Load, Unload, Enable_FIPS
+-- * Buildin Object Token Status: "ready", Load, Enable_FIPS
I also encountered this with Thunderbird 0.5 on RedHat 8
Steps to reproduce
1. Set a master password in Account Settings, Security, Manage Security Devices,
Software Security Device
2. Download mail from a mailbox which prompts me for the mailbox password.
3. Enter mailbox password and select option to store password. (Mail retrieved)
4. Close TB
5. Start TB and retrieve mail from the mailbox in step 2.
6. Mail is retrieved without asking for master password.
7. Check software security device and it's not logged in, so it should've
prompted for the master password.
Note:
With TB 0.5 on Windows 2000, I don't have this problem. The master passwords
behaves as expected.
(In reply to comment #3)
I "fixed" the problem by replacing the following files with the corresponding
files from my Mozilla 1.4:
*.s
cert8.db
key3.db
secmod.db
|
||
Comment 5•21 years ago
|
||
Thunderbird (0.5) seems to prompt for master password only with ssl connections
- at least when I tested, master password was not asked when I used imap server,
but it was asked, when I changed it to simap. Another thing - password save
files were identical, when there was no master password, and when there was
master password set.
|
||
Comment 6•21 years ago
|
||
I found the answer here: http://forums.mozillazine.org/viewtopic.php?p=90423#90423
Any passwords which were stored *before* the master password was set will not be
protected by it. The solution is to clear all your passwords (Tools -> Options
-> Advanced -> Manage Stored Sasswords -> Remove All), then ask for them to be
remembered when they are next prompted for.
IMO this is a bug, as the user would logically assume that providing a master
password protects all currently stored passwords.
|
|
||
Comment 7•21 years ago
|
||
(In reply to comment #6)
> protected by it. The solution is to clear all your passwords (Tools -> Options
> -> Advanced -> Manage Stored Sasswords -> Remove All), then ask for them to be
> remembered when they are next prompted for.
Actually, I tried this and it didn't change anything. What did change, was
when I added user_pref("wallet.crypto", true); to Thunderbird's prefs.js file
(got it from link).
In reply to comment 6 and comment 7, setting everything up as described here and
in the linked tips still does not get an IMAP account password stored correctly.
To do that you must set mail.server.default.remember_password or
mail.server.<server#>.remember_password (for the correct account) to true.
Unfortunately, this change does not seem sufficient to prevent future prompts
for that password.
The above addition and previously-described steps result in an immediate prompt
for the master password when starting up and the password showing up (again, if
you correctly cleared the stored passwords) in the "Manage Stored Passwords"
dialogue. However, I am almost immediately prompted for the IMAP account pasword
after entering the master password. From the code in nsMsgAccountManager.cpp,
nsImapIncomingServer.cpp and nsMsgIncomingServer.cpp (all in
/mozilla/source/mailnews/base/src/ IIRC), the mail.password_protect_local_cache
preference seems to have something to do with it though it may need to be both
false and true to get reasonable master password behaviour with IMAP accounts.
I cannot find the magic incantation to make the master password the only one I
need when starting Thunderbird (version 0.7.2 (20040707) on Windows XP if it
matters). At least I can now get all of the IMAP, LDAP and SMTP passwords
stored in encrypted form but, for the IMAP password only, this is not quite
enough. For the LDAP and SMTP passwords, strangely, I am prompted for the
master password far more often than I would expect.
|
||
Comment 9•21 years ago
|
||
There's obviously enough corroboration that there's at least a usability issue
here, if not a bug or missing feature. Confirming.
Status: UNCONFIRMED → NEW
Ever confirmed: true
|
||
Comment 10•19 years ago
|
||
Was able to reproduce this bug.
Mac OsX 10.4.
|
||
Updated•18 years ago
|
QA Contact: preferences
|
||
Updated•16 years ago
|
Assignee: mscott → nobody
|
||
Comment 11•16 years ago
|
||
WFM on Linux 3.0b2pre, 2008-12-18 build.
Status: NEW → RESOLVED
Closed: 16 years ago
Resolution: --- → WORKSFORME
You need to log in
before you can comment on or make changes to this bug.
Description
•