end-user security hints/help, particularly for master password wanted

NEW
Unassigned

Status

Thunderbird
Security
--
enhancement
8 years ago
3 months ago

People

(Reporter: u235898, Unassigned)

Tracking

Firefox Tracking Flags

(Not tracked)

Details

(Reporter)

Description

8 years ago
User-Agent:       Mozilla/5.0 (X11; U; Linux x86_64; en-US; rv:1.9.1pre) Gecko/20090620 Shiretoko/3.5pre
Build Identifier: Mozilla/5.0 (X11; U; Linux i686 (x86_64); en-US; rv:1.9.1pre) Gecko/20090616 Lightning/1.0pre Shredder/3.0b3pre

Many end-users doesn't care much about how passwords are saved, therefore the ask for master password on first check "save password" is quite ok, but to my opinion also the account setup should guide users to this option too.

Reproducible: Always

Steps to Reproduce:
1. create an account (quick or traditional setup)
Actual Results:  
1. password is requested on first connect

Expected Results:  
- password might be entered on account setup too
- user should get guided to the "what is the master password" and "why is this useful" step before clicking *done*
Component: General → Security
QA Contact: general → thunderbird
Agreed, thanks for this report. Lets get this string fixed!

Here are some options:

1 "Save password"
2 "Saved this password"
3 "Remember password"
4 "Remember this password"

I like 3 the best, it's simple and similar to the wording used on other login systems.  In general I don't like the 'this' context as it just seems unnecessary but I put it in there because the current string uses that.
Status: UNCONFIRMED → NEW
Ever confirmed: true
(Reporter)

Comment 2

8 years ago
(In reply to comment #1)
> Agreed, thanks for this report. Lets get this string fixed!

mhh..I'm not sure we're talking about the same...
Your comment seems to target a single text container in a mask, but my request targeted to introduce a new front page for end-users in the account manager setup dialog for setting up the master password if there is none set but password are saved...

anyway, I agree to your suggested text which already seems to be used in quick account setup

Comment 3

8 years ago
I would like to add :
if an user has multiple authentications - with external plugin like from Lightning, what is the purpose of having a (one) master password?

Usually, users enter the same password for the master password. Then when a password get changed, they are unable to perform the changing operation in the bunch of passwords.

What we should have is like in TB2 an "encrypted/not-encrypted" password list with a very "silly" improved feature. To reverse from "encrypted" to "not-encrypted" the user should enter one valid password from his list - That's it!
Not having 1 master password (what for?) but having multiple de-"masking" password.
(Reporter)

Comment 4

8 years ago
(In reply to comment #3)
> I would like to add :
> if an user has multiple authentications - with external plugin like from
> Lightning, what is the purpose of having a (one) master password?
> 
> Usually, users enter the same password for the master password. Then when a
> password get changed, they are unable to perform the changing operation in the
> bunch of passwords.
> 
> What we should have is like in TB2 an "encrypted/not-encrypted" password list
> with a very "silly" improved feature. To reverse from "encrypted" to
> "not-encrypted" the user should enter one valid password from his list - That's
> it!
> Not having 1 master password (what for?) but having multiple de-"masking"
> password.

Hi Jean,

A master-password is a key-phrase for the crypto system the password list will be encrypted with.

The "purpose" is not to keep all different passwords in mind needed for different Mail Accounts, Lightning Calendars, etc. but just ONE

I'm not sure if youre familar with encryption, but to my opinion it's unpossible to (de/en)crypt something with a "bunch of passwords".
For security reasons, it might be important to use real encryption to avoid passwords beeing exposed by other system users or your "admin". Scrambling / masking passwords so that they are no longer human readable in a txt file is not the same as encryption so far. There are different tools in the net like FirePassword that gives kids the easy to use ability to "steal" passwords from an non encrypted safe...

Updated

3 months ago
See Also: → bug 306730
Summary: More end-user security hints, particularly for master password wanted → end-user security hints/help, particularly for master password wanted
You need to log in before you can comment on or make changes to this bug.