Closed Bug 251190 Opened 20 years ago Closed 19 years ago

Saved passwords accesible without any User identification

Categories

(Thunderbird :: Preferences, defect)

Product:
Thunderbird
Component:
Preferences
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
VERIFIED DUPLICATE of bug 259996

People

(Reporter: johannesweinbrenner, Assigned: mscott)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2

The reason for this report is, that I can access the passwords of my email
accounts that I have saved by using the password manager without any prior
identification though i have set up a master password and I'm not logged in to
it, so anyone who has access to my PC could easily see my passwords. 

I just have to open the password manager and then select "Show Passwords" - I
see them without entering any identification.

I suggest either to completely remove the "Show Passwords" function or to
improve the Password Manager regarding more easier control/implemention of the
Master Password. 

Reproducible: Always
Steps to Reproduce:
1. Open Password Manager
2. Click on "Show Passwords"


Actual Results:  
I saw my saved passwords

Expected Results:  
Demanding the master password prior of showing the saved passwords.

I'm using Thunderbird 0.72 with the extensions "Quick Note", "Buttons!",
"Contacts Sidebar", "adress context" and "no new window on double-click"
AFAIK in order to get asked for your Master Password you've to choose "Use
encryption when storing sensitive data".
Without encryption it's not possible to protect the data in the files on
harddisk. So I guess protecting them in the TB UI would be at least useless if
not dangerous because it gives a wrong feeling of security.

But I agree that this should be made more clear.
I think its hasn't got sense, if I save password to make read mails easy, it is
insecure, and if I "use master password to protect stored password" it ask me
for that pass every time I open thunderbird and read mails, so It is the same to
write my mail password or master password 

It could be fine If master password could be configurated to protect ONLY 
saved password, but It has not to be asked every time I open thunder and
read mails. 
I have this feeling this confusion is all due to allowing non-encrypted
passwords to be stored when master password is set, in the first place. Is that
combination of features valuable to some user somewhere? If not, it should be
dropped.

*** This bug has been marked as a duplicate of 259996 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
v.
Status: RESOLVED → VERIFIED
You need to log in before you can comment on or make changes to this bug.