Passwords not saved if mail.password_protect_local_cache is true

RESOLVED DUPLICATE of bug 340523

Status

defect
RESOLVED DUPLICATE of bug 340523
12 years ago
12 years ago

People

(Reporter: mozilla, Assigned: Bienvenu)

Tracking

x86
Windows XP

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

12 years ago
Thunderbird 2.0.0.6

If you go into Tools -> Options -> Privacy -> Passwords -> Edit Saved Passwords and remove one or more passwords, you will lose the ability to save password for the accounts from which the password was deleted. For instance, if I had a saved POP3 password for foo.com, removing that password would cause the password dialog to appear at the next login attempt, but the prompt does not have the option to remember the password.
Is that host somehow on the "Passwords Never Saved" tab?

If so, delete it.

If that works, delete the saved password again and see if the act of deleting is what puts the host on the "Passwords Never Saved" list.

If so mystery solved (I'd argue that the wrong thing to do, but it must've been on purpose). If not I'm not sure where to go from there.
Assignee: dveditz → nobody
Component: Security → General
QA Contact: thunderbird → general
(Reporter)

Comment 2

12 years ago
No, the host was not in the list of "Passwords never saved," in fact, that list was empty. I've narrowed it down to a problem with "mail.password_protect_local_cache". If that is enabled (true) then this problem manifests, if it is set to "false" there is no problem.
David: any explanation behind bug 256082 comment 2 or the code at
http://bonsai.mozilla.org/cvsblame.cgi?file=mozilla/mailnews/base/util/nsMsgIncomingServer.cpp&rev=1.259&mark=740#733

What would requiring a password before showing local headers have to do with saving passwords for servers? I guess if you're not using a master password it would be pointless to use the password_protect_local_cache and save passwords, but anyone paranoid enough to find that hidden pref is most likely to use a master password or smart enough to figure out not to save passwords.
Assignee: nobody → bienvenu
Summary: Deleting Saved Passwords Removes Option to Remember Them → Passwords not saved if mail.password_protect_local_cache is true
(Assignee)

Comment 4

12 years ago
This feature was designed and implemented before master passwords existed, in the 4.x days (or if they existed, we didn't know about them :-) ) You're right that the master password stuff is a better alternative for this feature. But, for a large deployment, is it possible to use MCD or a custom install with overridden prefs to force master passwords for all users?

If a master password was set, we could change the implementation to require the user to enter the master password, assuming we can determine that in the code.
(Reporter)

Comment 5

12 years ago
I still can't understand what use it is to force the user into not remembering passwords with mail.password_protect_local_cache. At first glance it seems reasonable because, before master passwords, if a user has that pref set, and passwords are remembered, the effect is the same as having not set the pref at all (no prompt for password before displaying local cache). If we allow a user to disable mail.password_protect_local_cache, why don't we allow them to remember passwords while it is enabled? The effect is the same.

It seems like a waste of time to think of all the possible permutations and combinations of choices whereby a user can shoot themselves in the foot, and then actually spend programming cycles trying to prevent it. However, that being said, I think if it is really important to the developers to maintain this protection, perhaps it should be approached another way. Why not just have mail.password_protect_local_cache ignore saved passwords and prompt for them anyway?
(Assignee)

Comment 6

12 years ago
> If we allow a user to disable mail.password_protect_local_cache

With MCD, you can prevent users from disabling mail.password_protect_local_cache

In any case, it's not absolute protection - it merely raises the bar for a snoop, and that's of value to some people.

I'm not saying this is the only, best implementation - I'm just explaining why it works the way it does. If someone has cycles to improve it, I'm all for it.
(Reporter)

Comment 7

12 years ago
I don't want to seem obstructionist by neglecting to do any work, but I also don't want to donate my time improving a commercial product unless I receive some of the financial benefits realized from that work. I hope you all understand. Hopefully a paid developer will find this sometime and decide to work on it.

Thanks.
(Assignee)

Comment 8

12 years ago
I'm sorry, I really don't understand the tone or the content of that comment. I wasn't suggesting that you do it, and I apologize if I gave that impression. I meant exactly what I said - someone, not specifically you.
The usual reward for contributing to open source projects is that the bug that's annoying you is fixed rather sooner than if you wait for someone else to do it. Whether that trade-off is worthwhile is totally up to you.

No one's getting rich off Thunderbird. I'd be pleasantly surprised to find anyone breaking even on Thunderbird.
Status: NEW → RESOLVED
Last Resolved: 12 years ago
Resolution: --- → DUPLICATE
Duplicate of bug: 340523
You need to log in before you can comment on or make changes to this bug.