Join the Mozilla’s Test Days event from 9–15 Jan to test the new Firefox address bar on Firefox Beta 135 and get a chance to win Mozilla swag vouchers! 🎁

Този сайт ще има ограничена функционалност, докато се извършва тече неговата поддръжка. Ако дадена статия не може реши проблема ви и искате да зададете въпрос, нашата общност е готова да ви помогне на @firefox в Twitter и /r/firefox в Reddit.

Избягвайте измамите при поддръжката. Никога няма да ви помолим да се обадите или изпратите SMS на телефонен номер или да споделите лична информация. Моля, докладвайте подозрителна активност на "Докладване за злоупотреба".

Научете повече

Want clarificaton on Primary Password encryption

  • 3 отговора
  • 0 имат този проблем
  • Последен отговор от Wayne Mery

I see this question was asked before (https://support.mozilla.org/en-US/questions/1415951) but the thread is now archived and I don't think the concern of the poster was understood/answered.

Your Thunderbird profile contains all the credentials needed to "be you" by having full access to all linked email accounts. In order to protect these accounts a Private Password can be created. It prevents someone trying to use Thunderbird as you (using your profile) from seeing the passwords or establishing connections to the email servers.

The question I have (and I believe was being asked) is, does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

I see this question was asked before (https://support.mozilla.org/en-US/questions/1415951) but the thread is now archived and I don't think the concern of the poster was understood/answered. Your Thunderbird profile contains all the credentials needed to "be you" by having full access to all linked email accounts. In order to protect these accounts a Private Password can be created. It prevents someone trying to use Thunderbird as you (using your profile) from seeing the passwords or establishing connections to the email servers. The question I have (and I believe was being asked) is, does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

Избрано решение

Correct, it is not encryption with a passphrase or other credential. But you should protect/encrypt your data at rest using native OS or other capability, and you should protect/encrypt backup data.

https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password

Прочетете този отговор в контекста 👍 0

Всички отговори (3)

chull_56 said

does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

Primary password protects only the stored passwords. It does not protect your emails in the case that someone has already breached your computer.

Полезно?

Thank you. I understand the email itself is plain text and not protected. My question is about the email account credentials.

Without a primary password, the logins.json file contains what appear to be encrypted passwords. But since they can be deciphered without a password (by simply running Thunderbird) they are obviously only obfuscated in some way. Even after enabling a primary password the logins.json file is still exactly the same. This is why I don’t see how any actual encryption has taken place.

A physical breach is not high risk for me, but the simple act of backing up my data (offsite or cloud) could be leaving obfuscated but unencrypted account credentials for a bad actor to find. Credentials that I thought were protected. Whatever algorithm deciphers the passwords could be implemented outside of the Thunderbird program itself.

I hope I’m wrong. Please explain what I’m missing.

Полезно?

Избрано решение

Correct, it is not encryption with a passphrase or other credential. But you should protect/encrypt your data at rest using native OS or other capability, and you should protect/encrypt backup data.

https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password

Полезно?

Задаване на въпрос

You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.