Mozilla Connect

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

This similar, but not the same as this idea. Both ideas can definitely be integrated with the Secret Service Provider protocol.

Hey all,

This idea is now a “Trending idea” here on Mozilla Connect, which means it’s one step closer to reaching our internal teams for review—learn more about The Idea Journey.

Please keep the conversation going (the more details to support your case, the better) and stay tuned for updates 😀

I disagree with a forced storage within the os. Having had a similar situation with android, nothing is more frustrating then not beeing able to retrieve the passwords later. The advantage of software level storage should not be undervalued.

I'm not sure what kind of setup do you have, if the OS doesn't allow you to safely access your secrets then I would complain to them. If you check the idea I explained here, you'll see I proposed to use the Secret Service Provider protocol. Since it's a standard protocol, it allows you to use whatever password manager you prefer (as long as it complies with this standard protocol) and there are lots of products you can choose from.

This topic is predicated on Thunderbird saving passwords as plain text.  It does not,  so I see nothing happening here at all.

Recent changes see the entry of an operating system authentication to view passwords in the user interface.  If your operating system has no security,  then neither will Thunderbird with regard to that.  But that is how it should be.  Operating systems provide user account security.  Not applications.  Despite many suggesting they want it on shared devices.  Shared devices also have user accounts as well and folk should be using them.

I have 2 words for you Password Managers and there are 2 Foss ones "KeyPass XC" and "Bitwarden" I don't ever save passwords in my browser in fact your not suppose to cause hackers will easily get access to it if they infect your computer with malware.

I mostly use "KeyPass XC" over "Bitwarden" since it doesn't store anything in the cloud and it only saves locally there is a way to integrate it into Firefox and other browsers its much safer this way.

Hi 🙂

Does this site concerns both Firefox and Thunderbird, not only Firefox ?

On my side, I confirm that use the OS password manager is a must, for both Firefox and Thunderbird.

@MattAuSupportYou tell that Thunderbird does not save passwords as plain text.

Could you explain, please ?

As a heavy  FF.SYNC user, the obvious to me, solution is to consider integrating SYNC into tBird.
However, SYNC and bookmarking meta-data, have some issues, as I have addressend in other posts.

tBird would add additonal meta-data, specific to mail concepts.   Thus I suggest a group be formed to address multiple concerns regarding upgrading the SYNC capability to address, meta-data in a longer range, more abstract architecture.

This is a quite a heavy security issue. I wonder why this is open for so long time?

@HyperCriSiSProbably because the whole thing is based on a false premise, that passwords are stored as unencrypted text.

@Thomas_DC  Passwords are stored in the user file in an encrypted state.  If you set a primary password, then the only one that knows the encryption key is you.  By default, the key is stored in the profile with the passwords, so security is only as good as the physical security of the hardware.  Once a primary password is set then the passwords are encrypted using the primary password as the key.

See https://support.mozilla.org/kb/protect-your-thunderbird-passwords-primary-password

@moz_samriWork on sync is being undertaken under the general umbrella of this bug https://bugzilla.mozilla.org/show_bug.cgi?id=446444  look to the Depends: bug numbers for individual components of the whole

You might also want to be involved in the testing of the feature as it goes through the beta process.

If they can ever be saved as 256-bit binary, or anything alike, then that is the best. Today's services and programs love to hack users' credits. Agree?

---

@MattAuSupportwrote:

By default, the key is stored in the profile with the passwords, so security is only as good as the physical security of the hardware.

If I'm right, that's not plain text, but that's no more secure.

So, why do you say:

Probably because the whole thing is based on a false premise, that passwords are stored as unencrypted text.

?

How to see on which Products applies this idea?

Is it on both Firefox and Thunderbird?