Closed
Bug 251190
Opened 20 years ago
Closed 19 years ago
Saved passwords accesible without any User identification
Categories
(Thunderbird :: Preferences, defect)
Tracking
(Not tracked)
VERIFIED
DUPLICATE
of bug 259996
People
(Reporter: johannesweinbrenner, Assigned: mscott)
Details
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.7) Gecko/20040707 Firefox/0.9.2 The reason for this report is, that I can access the passwords of my email accounts that I have saved by using the password manager without any prior identification though i have set up a master password and I'm not logged in to it, so anyone who has access to my PC could easily see my passwords. I just have to open the password manager and then select "Show Passwords" - I see them without entering any identification. I suggest either to completely remove the "Show Passwords" function or to improve the Password Manager regarding more easier control/implemention of the Master Password. Reproducible: Always Steps to Reproduce: 1. Open Password Manager 2. Click on "Show Passwords" Actual Results: I saw my saved passwords Expected Results: Demanding the master password prior of showing the saved passwords. I'm using Thunderbird 0.72 with the extensions "Quick Note", "Buttons!", "Contacts Sidebar", "adress context" and "no new window on double-click"
Comment 1•20 years ago
|
||
AFAIK in order to get asked for your Master Password you've to choose "Use encryption when storing sensitive data". Without encryption it's not possible to protect the data in the files on harddisk. So I guess protecting them in the TB UI would be at least useless if not dangerous because it gives a wrong feeling of security. But I agree that this should be made more clear.
I think its hasn't got sense, if I save password to make read mails easy, it is insecure, and if I "use master password to protect stored password" it ask me for that pass every time I open thunderbird and read mails, so It is the same to write my mail password or master password It could be fine If master password could be configurated to protect ONLY saved password, but It has not to be asked every time I open thunder and read mails.
Comment 3•20 years ago
|
||
I have this feeling this confusion is all due to allowing non-encrypted passwords to be stored when master password is set, in the first place. Is that combination of features valuable to some user somewhere? If not, it should be dropped.
Comment 4•19 years ago
|
||
*** This bug has been marked as a duplicate of 259996 ***
Status: UNCONFIRMED → RESOLVED
Closed: 19 years ago
Resolution: --- → DUPLICATE
You need to log in
before you can comment on or make changes to this bug.
Description
•