Closed Bug 383841 Opened 17 years ago Closed 16 years ago

Weak default authentication mode - using plain text passwords

Categories

(Thunderbird :: Preferences, defect)

Product:
Thunderbird
Component:
Preferences
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
minor

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 221030

People

(Reporter: reisswolf_nospam, Unassigned)

Details

User-Agent:       Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.4) Gecko/20061201 Galeon/2.0.2 (Ubuntu package 2.0.2-4ubuntu1) Firefox/2.0.0.4 (Ubuntu-feisty)
Build Identifier: Version 1.5.0.12 (20070604)

Thunderbird uses plain text passwords by default, even if the server is capable of cram-md5 or some other secure mechanism. When starting TB for the first time, the account wizard doesn't even ask if one would like to use secure authentication. Therefore many unknowledgeable people use plain text passwords.

Instead TB should turn 'secure authentication' on by default and maybe fall back to plain text, if necessary. Perhaps a warning should be issued, when passwords are going to be sent in the clear.



Reproducible: Always

Steps to Reproduce:
1. Install Thunderbird (or delete your user preferences)
2. Follow the account wizard
3. Enter your password as requested
Actual Results:  
Password is sent in clear.

Expected Results:  
Password should be sent by a secure mechanism, if the server allows it.

Tested on Ubuntu Linux with an IMAP account on a Cyrus IMAP server.
Adding a "secure authentication" option is included in the account wizard redesign, as proposed in bug 221030. This is also related to bug 387421 for automatically probing the mail server capabilities during account setup.
Status: UNCONFIRMED → RESOLVED
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.