Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

Disable password retention

  • 13 odgovori
  • 1 ima ovaj problem
  • 21 views
  • Posljednji odgovor poslao Stans

more options

Thunderbird is on my laptop. If somebody defeats my lock screen (or if I have a negligent moment), I don't want just anybody who accesses my laptop to gain access to my email. It is a security concern (retired CISSP here). Thus, I want to disable password retention. What setting will accomplish that without manually going in at every logout to remove stored passwords? I plan to do some international travel, and the laptop will accompany me.

Thunderbird is on my laptop. If somebody defeats my lock screen (or if I have a negligent moment), I don't want just anybody who accesses my laptop to gain access to my email. It is a security concern (retired CISSP here). Thus, I want to disable password retention. What setting will accomplish that without manually going in at every logout to remove stored passwords? I plan to do some international travel, and the laptop will accompany me.

All Replies (13)

more options

It's not that I have anything of particular value on the machine, but someone posing as me, and employing my account might cause problems. Google has deemed it fit to employ the same password across multiple platforms, so exposure of an email password (show password) means a bad actor could post or make other commitments posing as my account (see Google Pay, for example).

Helpful?

more options

Don't get bogged down in Google Pay. I just need to disable password retention.

Helpful?

more options

Are you using the Primary Password feature? This adds encryption to your saved passwords on disk so that someone who is starting Thunderbird up from closed won't be able to check for or send new mail without knowing your PP. It also blocks "Show Passwords". More info on this feature: Protect your Thunderbird passwords with a Primary Password.

However, once you have entered the PP to initially unlock saved passwords, they stay unlocked, so if you stray from an unlocked screen, someone would be able to check for new email and send email. "Show Passwords" would still require re-entering the PP.

So that's something...

But to not save passwords, hmm. If you remove a password through the Preferences page (menu > Preferences > Privacy & Security > "Saved Passwords", the next time you are prompted, is there an option whether to save or not, or does it auto-save?

Helpful?

more options

I don't consider a meta login credential that masks a login credential to be a solution for not storing a password. Importantly, that would increase the probability of forgetting the actual login credential underlying the meta login credential. "Here's the key to the bolt-on door lock on your front door so that you can keep your front door unlocked."

Helpful?

more options

You didn't answer the last question.

Helpful?

more options

No option to not save password is displayed when I delete saved passwords, and am prompted to re-enter during the subsequent access of my email account. I am not provided an apparent option to 'not save password' anywhere. This is the problem; T'bird insists upon password retention.

This prompts many concerns, such as the possibility that some form of diagnostics query from Mozilla might supply that password (so readily employed by the email client front end software to the email server back end), to a malicious actor or malware application bent upon password harvesting.

Does Mozilla harvest passwords? Likely, no. Could Mozilla harvest passwords, if it so chose? Mmmmmmmaybe.

This is the problem with cyber security training; you end up projecting what could be an issue based upon software performance characteristics.

Helpful?

more options

The option being referred to, is available as a checkbox in the password prompt dialog (see red pointer in attached image). Is this option missing in the password prompt you're getting?

Helpful?

more options

Your user agent says you're running Windows 7. Is that so?

Helpful?

more options

Running Windows 7.

Helpful?

more options

No option to use Password Manger is displayed. I de-select, "Stay signed in," during the login process.

Helpful?

more options

The Primary Password, normally viewable at the Preferences>privacy&security page, under the section for passwords. This password must be manually entered every time you run TB and is intended to address your security concern.

Helpful?

more options

As stated earlier, adding another password doesn't address my security concern. From what I have seen so far, T'bird either compels me to manually delete the password on exit, but prefers to retain passwords indefinitely, which is clearly not security friendly.

Helpful?

more options

Iffy Droplight said

No option to use Password Manger is displayed. I de-select, "Stay signed in," during the login process.

That sounds like the OAuth2 sign in window. What get's saved in this case, is not your Google account's password, but an OAuth2 token instead. It cannot be used like a normal password, even if someone was to access the token in Thunderbird's password manager. No, that sign in window has no option to NOT save/remember the password. It simply doesn't need one. If it'll give you some much needed comfort, you can change cookies retention settings so that cookies are kept until you close Thunderbird. Cookies are needed for OAuth2 authentication to work, just like signing in to your Google account via a browser. Get rid of the cookies and the signed in session is rendered invalid/useless. I would be more afraid of the unpatched security holes in Windows 7. Also, Thunderbird is open source, you can always inspect its source code for password harvesting routines.

Helpful?

Postavite pitanje

Morate se prijaviti na račun da biste odgovarali na poruke. Molimo postavite novo pitanje, ako još uvijek nemate račun.