Join the Mozilla’s Test Days event from 9–15 Jan to test the new Firefox address bar on Firefox Beta 135 and get a chance to win Mozilla swag vouchers! 🎁

Ce site disposera de fonctionnalités limitées pendant que nous effectuons des opérations de maintenance en vue de vous proposer un meilleur service. Si un article ne règle pas votre problème et que vous souhaitez poser une question, notre communauté d’assistance est prête à vous répondre via @FirefoxSupport sur Twitter, et /r/firefox sur Reddit.

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Want clarificaton on Primary Password encryption

  • 3 réponses
  • 0 a ce problème
  • Dernière réponse par Wayne Mery

I see this question was asked before (https://support.mozilla.org/en-US/questions/1415951) but the thread is now archived and I don't think the concern of the poster was understood/answered.

Your Thunderbird profile contains all the credentials needed to "be you" by having full access to all linked email accounts. In order to protect these accounts a Private Password can be created. It prevents someone trying to use Thunderbird as you (using your profile) from seeing the passwords or establishing connections to the email servers.

The question I have (and I believe was being asked) is, does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

I see this question was asked before (https://support.mozilla.org/en-US/questions/1415951) but the thread is now archived and I don't think the concern of the poster was understood/answered. Your Thunderbird profile contains all the credentials needed to "be you" by having full access to all linked email accounts. In order to protect these accounts a Private Password can be created. It prevents someone trying to use Thunderbird as you (using your profile) from seeing the passwords or establishing connections to the email servers. The question I have (and I believe was being asked) is, does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

Solution choisie

Correct, it is not encryption with a passphrase or other credential. But you should protect/encrypt your data at rest using native OS or other capability, and you should protect/encrypt backup data.

https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password

Lire cette réponse dans son contexte 👍 0

Toutes les réponses (3)

chull_56 said

does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

Primary password protects only the stored passwords. It does not protect your emails in the case that someone has already breached your computer.

Cela vous a-t-il été utile ?

Thank you. I understand the email itself is plain text and not protected. My question is about the email account credentials.

Without a primary password, the logins.json file contains what appear to be encrypted passwords. But since they can be deciphered without a password (by simply running Thunderbird) they are obviously only obfuscated in some way. Even after enabling a primary password the logins.json file is still exactly the same. This is why I don’t see how any actual encryption has taken place.

A physical breach is not high risk for me, but the simple act of backing up my data (offsite or cloud) could be leaving obfuscated but unencrypted account credentials for a bad actor to find. Credentials that I thought were protected. Whatever algorithm deciphers the passwords could be implemented outside of the Thunderbird program itself.

I hope I’m wrong. Please explain what I’m missing.

Cela vous a-t-il été utile ?

Solution choisie

Correct, it is not encryption with a passphrase or other credential. But you should protect/encrypt your data at rest using native OS or other capability, and you should protect/encrypt backup data.

https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password

Cela vous a-t-il été utile ?

Poser une question

Vous devez vous identifier avec votre compte pour répondre aux messages. Veuillez poser une nouvelle question, si vous n’avez pas encore de compte.