Mozilla Connect

Why is there no option to Lock Thunderbird with a PIN or PW?  This seems like security flaw exposing your email to multiple accounts with no way to secure TB 102 unless I'm mission something.  Can you let me know if I am missing something?

Ryan

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

I would definitely advocate total password protection when Thunderbird starts. I used to use the "Master password" add-on, which no longer works with the new versions ...

@youngerjry I support your idea!

In addition to that, the content of Thunderbird should be encrypted when not in use.

The password protection should be optionally activated when a screensaver is started or energy-saving is executed.

Protection with master password

I can protect all passwords for my mailaccounts with a primary password, but I cannot protect Thunderbird and all mails it stores or caches with a master password.

This way, anyone that can start Thunderbird can still read all cached (imap) and stored (pop3) emails.

It could even be that Thunderbirds locally stored databases, caches and files are not protected or encrypted at all and readable if you gain access to the computer or maybe only its harddisc. Is that right ?

I would like to request a master password as feature. All access to Thunderbird should be denied without the right password, when set and all locally stored files and databases should be encrypted with this password.

Maybe there should be a way to recover all mails and gain access again when this master password has been lost (like you can use a PIN2 when you lost the PIN to your smartphone).

(Note: a similar idea has been merged into this thread)

It only makes sense to me that a password should be in place for security reasons.  Or atleast the option for one.  Senstive emails require protection and when we login to any web based email system they log you out and you are asked for a password again.  I'm not sure why that Mozilla who is security concious has over looked the simple idea of allowing their users the ability to put a password in place should they desire to tighten email security another step.

If someone were to hack the machine and lets say the machine is locked from outside access from the keyboard, however someone gets access to the machine through the network then they can get access to THunderbird and get access to potientially sensitive information.  It is not far fetched to have corporate espionage and state hackers try to get into companies these days.  That use to be considered conspiracy but has proven to be true again and again especially since snowdens revelations brought a lot of this information to light.

The title says it all...if I don't enter my password and keep ignoring to enter it I can view emails, save or download attachments etc...how is this even possible?

@Htotheoltzey  what password / program are you referring to?

I've discovered the same. Even more obscure - if I use end-to-end encryption, than private key needs to be stored in Thunderbird container and encryption is useless, because of master password failure. I can easy  reed all emails decrypted.

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

Sometimes I've started Thunderbird inadvertently, I do not enter the master password I have set and choose CANCEL on the password dialog.  Thunderbird still opens and each of the  many accounts I have setup prompts for a password.  There should be an option that Thunderbird CLSOES immediately when CANCEL is selected on the master password dialog.  With a toggleable option you have the choice of closing TB or continuing on with it's present behavior,  would still allow those who perhaps want to open ONE (or a few) accounts manually by prompting for a password. Those that simply want to close it all when cancel is selected can choose it too. 

Thanks for submitting an idea to the Mozilla Connect community! Your idea is now open to votes (aka kudos) and comments.

That default behavior is crazy! You get my vote! Surely your simple, yet great idea would be easy to implement?

I posted a semi-related idea for Thunderbird security and privacy here as well:

Password Protected Local Folders

Thunderbird 102.12.0 (64-bit) MACOS Primary Password feature ignores cancel and re-prompts stealing UI focus.

Some questions relating to working as intended

Is there yet a consensus what to do when cancel is selected?

Why are multiple instances of the primary password request sent to the UI if the first one is not yet responded to?

Is giving the impression that this feature is not tested internally really a good idea for establishing the feature is secure and for example there are again no backdoors present bypassing the security feature?

Have a great day, and thank you for contributing to the Open Source software community!