Master password easily bypassed to read email when no internet connection
Have been trying to read about this issue for years off and on, but never found anything, so finally thought I'd ask a question.
I've used master password for years as a basic security to stop people reading emails on my machine. However, it can be completely bypassed if you just remove the internet connection and start thunderbird, the master password dialog never appears, allowing you to freely read any mail from any account within thunderbird.
Now I appreciate those mails may be accessible on the machine *IF YOU KNOW* where to look and read the raw files, but that is not something I am concerned about, more so the type of person who not have the knowledge to go that, would just open thunderbird and have a snoop around.
Sure that user couldn't send / receive mails (not internet) until the connection came back in which case the dialog is shown (eventually), but still, seems strange it doesn't stop people using thunderbird.
Additional System Details
- User Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64; rv:68.0) Gecko/20100101 Firefox/68.0
re :I've used master password for years as a basic security to stop people reading emails on my machine. I'm afraid you have not understood what the Master Password does or have forgotten since applying it.
When you created the 'Master Password' you did it in this location. Menu icon > Options > Security > 'Passwords' tab It says 'A Master Password protects all your passwords, but you must enter it once per session'. Below this is the checkbox to 'Use a Master Password'.
The 'Master Password' is designed to stop people from having access to viewing your saved passwords if anyone should have access to your desktop.
It is not designed to stop people from read emails, you would use the basic security as supplied by your computer and create a 'User Account' for yourself. You can apply a password to gain access to your User Account desktop. Then no one can access any of your documents if they do not know the User Account password. Good info here:
Thanks for your quick reply
That makes sense, I did think it was probably my understanding that was a miss.
I think the issue with a Thunderbird password is that all the data is plain text. Not much point trying to block folks out of Thunderbird when they can read your mail with notepad from the windows file manager.
> Not much point trying to block folks out of Thunderbird when they can read your mail with notepad from the windows file manager.
Well I disagree there. 95% of people don't know how to do that. But do now how to open thunderbird and read mail.
The keeping honest people honest argument. I still lock my car / house although 5% of people know how to pick the lock..
But as have internet connection most of the time, master passwords well enough :)