Closed Bug 580589 Opened 14 years ago Closed 14 years ago

Master password: no possibility to hide passwords from user

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Platform:
x86
Windows XP
Type:
defect
Priority:
Not set
Severity:
major

Tracking

(Not tracked)

Status:
RESOLVED WONTFIX

People

(Reporter: netadmin, Unassigned)

Details

User-Agent:       Mozilla/5.0 (Windows; U; Windows NT 5.1; de; rv:1.9.2.7) Gecko/20100713 Firefox/3.6.7 ( .NET CLR 3.5.30729; .NET4.0E)
Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; en-US; rv:1.9.2.7) Gecko/20100713 Thunderbird/3.1.1

We use Thunderbird 2.0 here in our company and just recognized that there are no security patches available anymore.
While testing for migration to TB 3.x we found out that it seems to be not possible any more to hide the stored passwords in the password manager to our users.

Using TB 2, the ICTS staff is configuring the accounts, and the passwords are stored in thunderbird so they don´t need to enter - and even know - them. To prevent the users reading/knowing the passwords (which would allow them to get access to accounts by themselves even if they have not the permission...) we configured a master password that is only asked for if you want to show the stored passwords in clear text, but not for accessing the mail accounts.

However, this seems not to be possible in TB 3.1.1: if you store the passwords they can be seen by the users because they are either stored unencrypted, or encrypted by the master password, which means that we have to give the master password to the user (if not, he can not access his mail accounts) and then he can see the stored passwords...

Surely it is not possible to encrypt the passwords without asking for a credential (how did TB 2.0 this??), but encryption is not so important for us - it is important to hide the passwords so what we ask for is some functionality probably different from password encryption that provides a little bit "security by obscurity".

We really hope that there is a way to get back the old functionality because if not, it will be a no-go to continue using thunderbird and we have to change our complete mail client infrastructure. 

Reproducible: Always

Steps to Reproduce:
1. Store passwords in password manager
2. Set master password
3. Master password is asked not only to see the passwords but also to access the mailaccounts
Actual Results:  
It is not possible to hide passwords from users in company rollouts

Expected Results:  
Passwords should be hidden from the users and only accessible when entering a master password. However there should be a possibility to store them in a way that thunderbird can connect to the mailaccounts without asking the user to the master password - even if that means the password is not encrypted but only hidden.
Should this be confirmed, the master password will turn out to be completely useless.

The master password already does not offer protection against malware, because the latter often installs a keylogger.

I too would prefer reverting to TB 2 behavior. Looks to me like TB 3 is a security back step.
(In reply to comment #0)
> Using TB 2, the ICTS staff is configuring the accounts, and the passwords are
> stored in thunderbird so they don´t need to enter - and even know - them. To
> prevent the users reading/knowing the passwords (which would allow them to get
> access to accounts by themselves even if they have not the permission...) we
> configured a master password that is only asked for if you want to show the
> stored passwords in clear text, but not for accessing the mail accounts.

To us, this sounds like you've implemented something that has a broken design. Requiring the users to have passwords to access email, but then not letting them know what those passwords are is unusual. Admittedly, we probably don't have all the background information here.

> Surely it is not possible to encrypt the passwords without asking for a
> credential (how did TB 2.0 this??), but encryption is not so important for us -
> it is important to hide the passwords so what we ask for is some functionality
> probably different from password encryption that provides a little bit
> "security by obscurity".

The way the password managers have been re-written means that this is no-longer possible. We also don't feel that the requirement for this functionality is in demand that it will benefit a significant proportion of our users to make it worthwhile fixing in the core product. Therefore we're going to mark this as won't fix.

However, there are some ways we think you may be able to achieve your aim or find a solution:

- You may be able to write an add-on which works around the bits of functionality you don't want, e.g. hiding the show password options in the preferences.

- I'm told that the Kerberos protocol does something similar to what you want, so you may want to investigate that.

- We've recently set up a tb-enterprise mailing list. This is aimed at discussing deployment and configuration, and the people there may be able to help you find other easy solutions. See https://wiki.mozilla.org/Thunderbird/tb-enterprise for more information.
Status: UNCONFIRMED → RESOLVED
Closed: 14 years ago
Resolution: --- → WONTFIX
You need to log in before you can comment on or make changes to this bug.