PS, I tested the following twice

Changed the password of one of my email accounts

Stopping and restarting Thunderbird does not help, it still opens/sends/receives email using the old email account password.

Restarting the PC and then starting again makes Thunderbird asking me to re-enter and save all my passwords of all my hotmail and outlook accounts, but not my gmail account ???

I'm flabbergasted, now I think that when you close Thunderbird, Thunderbird remains running in the pc memory and remembers the account connections, so it does not need to re-open and does not need the passwords to re-connect.

Only when you shutdown the pc, Thunderbird really closes. But I don't understand that now the 1st time I open Thunderbird after the re-start, it asks me to re-enter/save all the passwords of my hotmail and outlook accounts instead of only the one where my password was changed.

Gmail is a bit special. If you're using OAuth2, Thunderbird will have been given a token that authenticates it. In most cases, once it has this token, it won't need your actual password.

You can test this by removing any stored passwords for the google account from the password store in Thunderbird. If it has the token, it won't care that you have removed the password.

Scary !!! In fact I did change my gmail password a few weeks ago and forgot to do this in Thunderbird, Thunderbird still access my email, the account/password list shows Oauth and my old password.

I never installed Oauth, I can't remember I did.

So Thunderbird is not safe without using the main password !!!

I think this functionality should change and untill that is done, all user should be warned to always use the main password.

For now I will no longer use thunderbird for gmail accounts. Actually I now have my doubts about the security of Thunderbird.

You had better take your argument to Gmail. They put OAuth2 and the token system in place. Thunderbird had to implement it to guarantee ongoing compatibility.

As I understand it, Thunderbird is using this security token which is independent of your password storage system.

I don't see why you think Thunderbird is particularly at fault here. If you leave your computer accessible to others and without password protection at the OS level then you have much bigger security issues to confront first.

https://stackoverflow.com/questions/26776322/how-to-invalidate-oauth-token-when-password-is-changed

Hi thanks for your reply, I still think that an email program should not be able to access my mail after I have changed my password, unless I also change the password in my email program.

Like I said, I now use the main password for Thunderbird, If Thunderbird had warned me for this, I would have used it from the beginning.

I removed my gmail account from Thunderbird.

A tiny bit of googling for token and OAuth shows many people asking the same question in many different contexts. This a Google thing, not a Thunderbird thing.

Also remember gmail required oauth after declaring everyone a Less Secure App. Do you feel more secure now?

I give up.

Just happy that Oauth does not influence the mailapp on my phone, as soon as I change the gmail password, I also need to change it in my phone. So I will only use my gmail account on my phone.

I have no idea how this works.

If you use imap and also OAuth2 authentication method which gmail really want you to use, then when you created the gmail imap mail account the first time, you have to use the normal password the first time on a auto launched gmail logon webpage; gmail accepts you and then generates the OAUth2 password which it saves in Thunderbird and from then onwards when you logon via Thunderbird, gmail will not ever use the normal password, it will use the OAUth2 password.

If you check your gmail mail account Account Settings then you will see that your 'Authentication Method' of choice is NOT 'Normal Password'. Altering your Normal Password is irrelevant to Gmail account when using Thunderbird because you are not using it.

You would have needed to delete the password stored for oauth and updated the Normal Password. Then restart Thunderbird to get gmail to send you to the sign in webpage to get a new oauth2 password.

This is not a Thunderbird quirk. It is gmail to wants to use OAuth2 and you who selected to use it.

I agree with you; it can be disconcerting at first because you would expect the need to update password in Thunderbird, until you realise that you are not using the password you think, you are using the oauth2 password.

Obviously you would need to use the updated password if you wanted to logon via webmail.

Like I said I will use my gmail account only on my phone where I do not have this problem.

Also I will use the main password on Thunderbird on my PC to prevent that anybody can open the password option.

Hans said

For now I will no longer use thunderbird for gmail accounts. Actually I now have my doubts about the security of Thunderbird.

Google are insisting on oAuth2.0 and over time will refuse connections in any other method by a mail client, phone etc. If you have issues take it up with them. But be warned, they call applications that do not use oAuth2.0 "less secure"

Everyone is aware of the need to have a pin on their phones, but for some reason, those same people appear to think they do not need an account password when using their computer. It matters not what connection methods are used, how your passwords are stored or if they are visible if you use account passwords on your computer. So I suggest you make use of the facilities offered by your operating system to secure your data.

Ofcourse I use an account password, ofcourse I use a pincode on my phone.

I just never expected Thunderbird would be able to access my gmail after I changed my password. I think Thunderbird should warn people for this and should advise new users upon installation of Thunderbird to always use the main password. Not everybody is a computer whizzkid.

I have never had an email program where it was so easy to list your passwords.

And now I know this, I ofcourse use a main password for Thunderbird.

And like I said before, after I changed my gmail password, my phone is not able to connect to gmail untill I change the password on my phone as well oAuth functionality or not (standard mail program on my iphone).

Hans said

And now I know this, I ofcourse use a main password for Thunderbird.

Do it properly. https://support.microsoft.com/en-au/help/13951/windows-create-user-account

I did not need to be told about passwords, I use computers since 1984. Just want Thunderbird to warn new users about the password functionality and the main password upon installation.

It is how gmail oauth works. Don't like it? Complain to gmail or use another provider. Thunderbird has nothing to do with it.

Like I said, I understand this is a gmail problem, but I think Thunderbird can educate people about this functionality.

Hans said

Like I said, I understand this is a gmail problem, but I think Thunderbird can educate people about this functionality.

Personally I see nothing to educate folk about. IF they want to live their live in blissful ignorance of how oAuth2.0 works, I do not see it as a mail clients job to educate them. This is an internet standards protocol, just as IMAP, HTTP FTP NNTP and POP are among many others. https://tools.ietf.org/html/rfc6749

We put in significant effort trying to educate folk about how their mail protocols work. I think you should be looking for a browser maker to educate folk about the downside of oAuth2.0. It is after all a web protocol.

How many people do you think have heared about or will ever hear about o2auth? I think that will not even be 1%.

I have managed to located some info on the gmail website. https://support.google.com/a/answer/6328616?hl=en

quote: When do the tokens get revoked, upon password expiry or password change? The tokens are revoked upon password change.

Judging by what gmail claim, I would have expected that when you started Thunderbird (after changing password in gmail webmail) gmail would have redirected you to a login page via a browser, at which point the oauth password was reset. This may have occurred without you realising what was happening. Perhaps you thought it was part of the gmail webmail authentication because you updated password and not realised it was actually gmail updating oauth in Thunderbird. Note that the oauth2 password would have been updated not the Normal Password. This may mean that the 'Normal Password' in Thunderbird could still look like the old one, but oauth password (which is the only password being used in Thunderbird) was updated.