Closed
Bug 365279
Opened 18 years ago
Closed 15 years ago
Thunderbird allows setting master password when it's not enabled
Categories
(Thunderbird :: Preferences, defect)
Thunderbird
Preferences
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird 3.0b2
People
(Reporter: dbaron, Unassigned)
Details
(Keywords: privacy, ue, uiwanted, Whiteboard: [fixed by bug 239131])
Thunderbird allows setting a master password even when the master password feature is not enabled. This can confuse users into thinking that they have a master password when they do not. (I was just confused in this way, and saved a bunch of passwords to disk without the protection of the master password. But I realized it after I restarted thunderbird and had the password dialog prefilled before I'd entered my master password.) Firefox's pref dialog does not have this problem. Steps to reproduce: 1. start Thunderbird on a clean profile 2. Edit -> Preferences -> Privacy -> Passwords 3. click "Set Master Password" and set a password Actual results: A master password has been set, but is not enabled. Expected results: Either (a) "Set Master Password" is not enabled when the checkbox above it is not checked, or (b) the user interface is reworked to avoid having a checkbox. I think I prefer (b). Bug observed in: Thunderbird 2.0 Linux nightly 20061228 (1.8 branch).
|
Reporter | |
Updated•18 years ago
|
Summary: Thunderbird allows setting master password when it'snot enabled → Thunderbird allows setting master password when it's not enabled
|
||
Comment 1•17 years ago
|
||
So, say we remove the checkbox, and then someone does just what I did: imports a signing cert, gets prompted to create a master password to use with it, without having previously created a master password in our no-checkbox password UI. Is there a callback out of PSM when someone creates a master password, which we can use to force password encryption to give them a nice little surprise the next time they restart (and every time thereafter)? For that matter, what happens in Firefox's UI and password manager if, without first creating a master password for password encryption, you import a client SSL cert and create a master password for it? Do your passwords get encrypted, like it or not, or (and I strongly suspect this is the answer) do you get into a state where you are not allowed encrypt passwords, because the UI thinks they're encrypted because you have a master password?
|
||
Comment 2•17 years ago
|
||
Same happens for current trunk builds. I run a test with version 3.0a1pre (2007112104) on Windows. It's the same behavior other way around. You can click on "Use master password" without specifying a master password. In that case it is also not enabled. Password can be viewed without entering the master password. Either one of these two preferences is set the other one also have to set. Clicking on "Use master password" should bring up the "Set master password" dialog or if you set a master password the feature should be automatically enabled. If you click the checkbox to remove the master password the "Remove master password" dialog has to be opened. If the user enters the correct data both prefs have to be resetted. Same thing should happen if you click on "Remove master password". It seems that both preferences aren't synced for Thunderbird while it works perfectly for Firefox.
OS: Linux → All
Hardware: PC → All
Version: 2.0 → Trunk
|
||
Updated•16 years ago
|
Assignee: mscott → nobody
|
|
||
Comment 3•16 years ago
|
||
Is this something we could take into account for Tb3? It's a really confusing behavior for users who enables this feature.
Flags: wanted-thunderbird3?
|
||
Comment 4•15 years ago
|
||
This has already been fixed for TB 3 by the recent password manager changes in bug 239131
Status: NEW → RESOLVED
Closed: 15 years ago
Flags: wanted-thunderbird3? → wanted-thunderbird3+
Resolution: --- → FIXED
Whiteboard: [fixed by bug 239131]
Target Milestone: --- → Thunderbird 3.0b2
You need to log in
before you can comment on or make changes to this bug.
Description
•