cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
gunwald
Strollin' around
Status: Trending idea

Unfortunately, Thunderbird still saves all passwords as plain text, which puts them at risk to anyone who has access to your computer. While there is an option to use a master password, it is not commonly used and does not integrate seamlessly with the operating system you are using.

19 Comments
Status changed to: New idea
Jon
Community Manager
Community Manager

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

crazybyte
Making moves

This similar, but not the same as this idea. Both ideas can definitely be integrated with the Secret Service Provider protocol.

Status changed to: Trending idea
Jon
Community Manager
Community Manager

Hey all,

This idea is now a “Trending idea” here on Mozilla Connect, which means it’s one step closer to reaching our internal teams for review—learn more about The Idea Journey.

Please keep the conversation going (the more details to support your case, the better) and stay tuned for updates 😀

Ford_Prefect
Making moves

I disagree with a forced storage within the os. Having had a similar situation with android, nothing is more frustrating then not beeing able to retrieve the passwords later. The advantage of software level storage should not be undervalued.

crazybyte
Making moves

I'm not sure what kind of setup do you have, if the OS doesn't allow you to safely access your secrets then I would complain to them. If you check the idea I explained here, you'll see I proposed to use the Secret Service Provider protocol. Since it's a standard protocol, it allows you to use whatever password manager you prefer (as long as it complies with this standard protocol) and there are lots of products you can choose from.

MattAuSupport
Familiar face

This topic is predicated on Thunderbird saving passwords as plain text.  It does not,  so I see nothing happening here at all.

Recent changes see the entry of an operating system authentication to view passwords in the user interface.  If your operating system has no security,  then neither will Thunderbird with regard to that.  But that is how it should be.  Operating systems provide user account security.  Not applications.  Despite many suggesting they want it on shared devices.  Shared devices also have user accounts as well and folk should be using them.

FirefoxEnjoyer
Familiar face

I have 2 words for you Password Managers and there are 2 Foss ones "KeyPass XC" and "Bitwarden" I don't ever save passwords in my browser in fact your not suppose to cause hackers will easily get access to it if they infect your computer with malware.

 

I mostly use "KeyPass XC" over "Bitwarden" since it doesn't store anything in the cloud and it only saves locally there is a way to integrate it into Firefox and other browsers its much safer this way.

Thomas_DC
Making moves

Hi 🙂

Does this site concerns both Firefox and Thunderbird, not only Firefox ?

On my side, I confirm that use the OS password manager is a must, for both Firefox and Thunderbird.

Thomas_DC
Making moves

@MattAuSupportYou tell that Thunderbird does not save passwords as plain text.

Could you explain, please ?

moz_samri
Making moves

As a heavy  FF.SYNC user, the obvious to me, solution is to consider integrating SYNC into tBird.
However, SYNC and bookmarking meta-data, have some issues, as I have addressend in other posts.

tBird would add additonal meta-data, specific to mail concepts.   Thus I suggest a group be formed to address multiple concerns regarding upgrading the SYNC capability to address, meta-data in a longer range, more abstract architecture.

HyperCriSiS
New member

This is a quite a heavy security issue. I wonder why this is open for so long time?

MattAuSupport
Familiar face

@HyperCriSiSProbably because the whole thing is based on a false premise, that passwords are stored as unencrypted text.

@Thomas_DC  Passwords are stored in the user file in an encrypted state.  If you set a primary password, then the only one that knows the encryption key is you.  By default, the key is stored in the profile with the passwords, so security is only as good as the physical security of the hardware.  Once a primary password is set then the passwords are encrypted using the primary password as the key.

See https://support.mozilla.org/kb/protect-your-thunderbird-passwords-primary-password

@moz_samriWork on sync is being undertaken under the general umbrella of this bug https://bugzilla.mozilla.org/show_bug.cgi?id=446444  look to the Depends: bug numbers for individual components of the whole

You might also want to be involved in the testing of the feature as it goes through the beta process.

majesticmini471
Familiar face

If they can ever be saved as 256-bit binary, or anything alike, then that is the best. Today's services and programs love to hack users' credits. Agree?

Thomas_DC
Making moves

@MattAuSupportwrote:

By default, the key is stored in the profile with the passwords, so security is only as good as the physical security of the hardware.

If I'm right, that's not plain text, but that's no more secure.

So, why do you say:

Probably because the whole thing is based on a false premise, that passwords are stored as unencrypted text.

?

 

Thomas_DC
Making moves

How to see on which Products applies this idea?

Is it on both Firefox and Thunderbird?