Closed Bug 542787 Opened 15 years ago Closed 15 years ago

The password requested when TB starts should not be the same password used to reveal mail account passwords

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Linux
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 560746

People

(Reporter: cuisineconcepts, Unassigned)

Details

User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.2.0) Gecko/20100115 SUSE/3.6.0-1.2 Firefox/3.6 Build Identifier: Mozilla/5.0 (X11; U; Linux i686; en-GB; rv:1.9.1.5) Gecko/20091130 SUSE/3.0.0-1.1.1 Lightning/1.0b2pre Thunderbird/3.0 In TB 3.0 if a master password is set to protect the mail account passwords, this password is also requested at TB start-up. This is bad for security. I can see the benefit of using a password on start-up to TB but this password should not be the same password (master password) to reveal the mail account passwords. We have a number of off-site staff that are not given the passwords to specific mail accounts but now with the way TB3.0 works they can easily see the passwords by using the master password. The password to reveal the mail account passwords should be independent of any other passwords or authentication requirements. Reproducible: Always Steps to Reproduce: 1.Set master password. 2.Restart TB. Master password is requested. 3.Use same password to reveal account passwords. Expected Results: The password requested at TB start up should be different from the password that protects the account passwords.
Summary: The password requested when TB starts should not be the same password used to display mail account passwords → The password requested when TB starts should not be the same password used to reveal mail account passwords
Every Mail client must know the mailserver-passwords as clear text. The passwords must be stored somewhere as clear text on the hdd if you select to store passwords. That is not very secure because someone could steal your passwords from the hdd. For that case you can select to encrypt the stored passwords. The passwords are encrypted with the masterpassword key that you can select. The masterpassword can be any passowrd you want and it can be the same password as one of the mail accounts if you want it. There is no password for the Thunderbird startup but you get a Masterpassword prompt if let Thunderbird check the Mail Accounts at startup. What is your problem ?
I agree with what you're saying. My point is that TB asks for the master password when it checks the mail accounts at start-up which is the same password required to reveal (or decrypt) all the mail account passwords. We don't necessarily want some of our staff to know what all the mail account passwords are. But since they have the master password (because they require it for TB to check mail at start-up) they can also reveal all the mail account passwords. My point is that these two passwords should be different. If you want to ask for authentication for TB to check mail then it should be independent of the master password used to reveal mail account passwords. If having two different passwords is not favoured then at least the option to not prompt for the password at TB start-up should be provided whilst still maintaining the requirement of the master password to reveal the mail account passwords. So in other words like it was with TB2.
>I agree with what you're saying. My point is that TB asks for the master >password when it checks the mail accounts at start-up which is the same >password required to reveal (or decrypt) all the mail account passwords. Yes, it's of course the same password. Checking Mails means TB must decrypt the passwords because the mail server can request a password as clear text and that means that TB must know the password. That is different as for example a OS login. In the os login case you don't need to know the clear text password if you want to compare the user input and the stored password. There is no way for a second password, how should that work in a secure way ? You can always take the password database file from the hdd and decrypt it with an external tool if you know the masterpassword. And as USer you can always read the password file.
OK, but in TB2 it worked the same didn't it - i.e. the master password was used to decrypt the mail account passwords? The difference was that you were not prompted for the password when TB started up and checked mail. Why was this introduced in TB3? It just doesn't make that much sense to me to change the way it worked in TB2 as it doesn't offer any benefit to the user as it is now. Maybe I'm missing something here.
TB2 must ask for a Masterpassword if one is set and TB connects to a server. There is no other way how it could work.
Yes I know. I'm sorry but I think you may be missing my point. What I'm trying to say is that TB2 (for me anyway) DID NOT request the master password from just to check e-mail or remote calendars at start up or any time. And yes the master password was set. It only asked for the master password if I wanted to reveal the mail account passwords. In TB3 it works differently, because it TB3 now asks for the master password from me before it checks for mail or remote calendars. That part about asking the user for the master password before checking emails is something new added in TB3.
(In reply to comment #6) > In TB3 it works differently, because it TB3 now asks for the master password > from me before it checks for mail or remote calendars. That part about asking > the user for the master password before checking emails is something new added > in TB3. We've just fixed that for the TB 3.1 builds, and it will be in TB 3.1 beta 2. I'm marking this as a duplicate of that bug, because with your explanation they sound like pretty much the same thing.
Status: UNCONFIRMED → RESOLVED
Closed: 15 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.