Disable show password button
I have noted that thunderbird has a big bug or deficit. Most people don't know that to catch their password is a very very easy thing to do. Simply a person that have access to your computer can click on the Tools menu, select Options, Click the Security icon, Click the Passwords tab and Clink on show password!
So i think that this very important option may be choose on inserting the first password. Another problem is when i let to use an email address on a PC to a person (e.g. an employee) but i don't want that this person to know the password. in this case the "master password" become useless.
A strong security policy can be:
- if i use thunderbird the first time i can choose if i want to able to recovery my password in future or not (i.e. button enabled or disabled);
- if i want disable the "show password" button, i can do it and i shoud be alerted that i can't recover any password in future;
- if i want enable the "show password" button, i can do it but i have to insert all password again.
Can any developer do this optimization?
The issue is really serious for thunderbird security. see also the similar request below:
https://bugzilla.mozilla.org/show_bug.cgi?id=259996 https://bugzilla.mozilla.org/show_bug.cgi?id=274889 https://support.mozilla.org/it/questions/1027441 http://askubuntu.com/questions/36770/how-to-remove-show-passwords-option-in-thunderbird-preference http://forums.mozillazine.org/viewtopic.php?f=39&t=384058 http://kb.mozillazine.org/Restricting_user_actions_-_Thunderbird http://www.asktoourexpert.com/archive/855/how-to-hide-password-in-thunderbird.html
Modified by fedekikko89
All Replies (8)
Use the Master Password feature. You cannot 'show passwords' until after you re-enter the master password.
Even with the Master Password, a determined hacker, with access to your machine, can in time, break-in and view all of your sensitive information. Not even government agencies are totally secure.
Let's be reasonable You can put a ten thousand dollar secure locking system on your home that needs special magnetic keys and biometric sensors to unlock the doors; but, they can be defeated in less than a minute, by using a chainsaw to cut through an exterior wall, or in conjunction with a ladder, to come in through the roof.
TB-38.3 Win10-PC
Thanks for the answer, but i'm sorry if i cannot explain me enough. I don't mind the strongness of the Master Password, I don't need a prevention to an hacker and i don't work for a goverment agency. I wish only give an improvement to thunderbird that i like globally!
1) maybe only the 95% of the users really know that is very simply to catch their passwords. Now, I know how to steal password from all my friends PC and i'm not an haker.
2) also with the Master Password i don't protect my passwords from a "normal" user (not hacker) that is simply "user" and not "administrator" of the PC.
3) No one else program like Outlook, mailbird, android or apple mail clients has this dangerous feature "show passwords"!! (maybe there is a why)
Let's be reasonable (using the same example)
Pratically, now, i attach a sheet at the door marked "Please enter, the keys are under the doormat"!!
Modified by fedekikko89
lets look at this from a security perspective. No master password means your passwords are stored in plain text in the password file. So the least of your security concerns should be that show password button.
You may consider is a dangerous feature, but in reality is is not. Your drawing attention to the password storage in Outlook. How does that work exactly? Try this free tool on any system with outlook installed http://securityxploded.com/outlookpassworddecryptor.php YEp passwords. and they were so carefully hidden.
Security through obscurity is no security at all. it is more like the ostrich sticking it's head in the sand. You have an issue, use a master password and then the only one who can see your passwords is one who knows the master password.
1. You are right. Many people do not use the master password feature. They might be the only user to use that computer and feel that this security measure is not necessary, for them; or, they may not allow others to sit at their computer and access programs without supervision.
2. The master password only protects your log-in passwords. When you open the program, you will be asked for the master password.
It protects passwords from being shown to another user, or allowing another user to submit the stored username/password to gain access to a protected site or mail server. It does not protect your computer from being accessed by another user. It does not stop programs like Thunderbird from being used. As long as the program remains open, you may not be asked again for the master password. Close the program to enable the master password prompt the next time the program is opened.
BTW: A user can read any mail that you have already downloaded to your computer, but is prevented from sending or downloading new mail, as these actions require password access, which is denied until after the master password prompt is answered correctly.
3. Other programs may not allow a feature similar to the 'show passwords' button in Thunderbird, because they cannot adequately keep the information as secure as Thunderbird can. And there are the programs available to hackers...
TB-38.3 Win10-PC
Thank you for your answers. I already use Master Password and I understand its feature. I think that is very different situation between Thunderbird and Outlook softwares in this case: the first one, through itself, can show simply your password, the second one need to install an additional software to show your password. My observations want to be a contribution to an aware user experience with the consequence of a little improvment of security. Also i would solve my personal problem (that i think is not only mine): i like thunderbird and i want to use it at office instead of Outlook for my employees but this "show password" feature breaks me to do it. I would my employees use office mail only at work and i don't want let them know my passwords. Now, if they google "show hidden password thunderbird", they can do it independently from the Master Password and being or not administrator of the OS. Maybe, the first proposition in my question can help me. Do you agree with me?
I really can't see what you're trying to do here. Use the Master Password and then viewing stored passwords becomes non-trivial.
If you care about doing it properly:
- Set up a standardised installation and configuration that enables Master Password. Make it a dismissable "offence" to tamper with matters relating to the business's security.
- If you're having to share your own password with others (perhaps for access to an SMTP server for sending) , then your email arrangements are not adequate for your business needs. Get yourself an enterprise grade solution where each user has their own email account with its own passwords. Then no-one need know your, or anyone else's passwords. Done properly, this will allow you to set up groups so that users who are entitled to do so can formally share accounts, but using their own passwords.
- Don't share computers, or if you must, set up individual user accounts to regulate who can see what. Or at least set up a guest account for those who need to borrow your computer.
I don't get your misgivings about the Master Password. If it's enabled, no-one other than the owner of the Master Password can accidentally view stored passwords. If someone disables the Master Password, the stored passwords will be deleted, and must be re-entered. And that employee is now in line for disciplinary action. But if a user is confined to their own user account, they can't see your passwords anyway. If you need to tell others your own password, see (2) above.
I give a pc with email@email.com configured in thunderbird to a person. I want to avoid that this person read, delete or send mails from another pc (for example at his home or when he aren't in front of the pc configured by me). I want that he can use email@email.com only from the pc that i have configured. Is it possbile with thunderbird, now, in other ways? if not, ok, i give up! i have to search another software.
Please, does anyone know if is it possible to remove/disable show password manually or with a workaround? (with a css file or editing some code or some registry value)
How does you setting this up in Thunderbird, with a Master Password, not achieve your wishes?
I remember many years ago I was in a situation where I had lost track of an email password and Outlook Express had no means to allow me to view it.
My approach then was to use Ethereal (now known as Wireshark) to examine the packets sent by Outlook Express to the server, where the password was shown in clear text. Note that this approach wouldn't be feasible if the account had used SSL or TLS to encrypt the login.
So, I think Thunderbird, with a Master Password, (known only to you) and TLS or SSL would make it very hard for the user to discover the password. However I believe that in some jurisdictions this arrangement might be viewed as improper and possibly illegal; a user should be able to set his own password and not have to divulge it to anyone, including his employer - and as the owner of the Master Password, you would have the ability to view your users' passwords. At my own place of work, admins can't see users' passwords, except when they re-set a password to allow a user to regain access to an account where the password has been forgotten. Normally the first thing the user has to do after the password reset is set up his own personal password
I think you need an enterprise grade solution where you have control of the accounts and the server. Running or operating the server yourself would give you full control over your user's access to the account.