Important Notice: We're experiencing email notification issues. If you've posted a question in the community forums recently, please check your profile manually for responses while we're working to fix this.

Avatar for Username

Rechercher dans l’assistance

Évitez les escroqueries à l’assistance. Nous ne vous demanderons jamais d’appeler ou d’envoyer un SMS à un numéro de téléphone ou de partager des informations personnelles. Veuillez signaler toute activité suspecte en utilisant l’option « Signaler un abus ».

En savoir plus

Want clarificaton on Primary Password encryption

  • 3 réponses
  • 0 a ce problème
  • 14 vues
  • Dernière réponse par Wayne Mery

chull_56
chull_56
more options

I see this question was asked before (https://support.mozilla.org/en-US/questions/1415951) but the thread is now archived and I don't think the concern of the poster was understood/answered.

Your Thunderbird profile contains all the credentials needed to "be you" by having full access to all linked email accounts. In order to protect these accounts a Private Password can be created. It prevents someone trying to use Thunderbird as you (using your profile) from seeing the passwords or establishing connections to the email servers.

The question I have (and I believe was being asked) is, does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

I see this question was asked before (https://support.mozilla.org/en-US/questions/1415951) but the thread is now archived and I don't think the concern of the poster was understood/answered. Your Thunderbird profile contains all the credentials needed to "be you" by having full access to all linked email accounts. In order to protect these accounts a Private Password can be created. It prevents someone trying to use Thunderbird as you (using your profile) from seeing the passwords or establishing connections to the email servers. The question I have (and I believe was being asked) is, does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

Solution choisie

Correct, it is not encryption with a passphrase or other credential. But you should protect/encrypt your data at rest using native OS or other capability, and you should protect/encrypt backup data.

https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password

Lire cette réponse dans son contexte 👍 0

Toutes les réponses (3)

Wayne Mery
Wayne Mery
  • Moderator
  • Top 10 Contributor
more options

chull_56 said
does using a Private Password actually encrypt the account credentials, or does it just block someone when they're using the Thunderbird program? Asked another way, would a bad actor with access to the profile and access to appropriate sleuthing tools be able to recover the credentials--from the files alone--thus bypassing the private password of the Thunderbird program?

Primary password protects only the stored passwords. It does not protect your emails in the case that someone has already breached your computer.

Cela vous a-t-il été utile ?

chull_56
chull_56 Auteur de la question
more options

Thank you. I understand the email itself is plain text and not protected. My question is about the email account credentials.

Without a primary password, the logins.json file contains what appear to be encrypted passwords. But since they can be deciphered without a password (by simply running Thunderbird) they are obviously only obfuscated in some way. Even after enabling a primary password the logins.json file is still exactly the same. This is why I don’t see how any actual encryption has taken place.

A physical breach is not high risk for me, but the simple act of backing up my data (offsite or cloud) could be leaving obfuscated but unencrypted account credentials for a bad actor to find. Credentials that I thought were protected. Whatever algorithm deciphers the passwords could be implemented outside of the Thunderbird program itself.

I hope I’m wrong. Please explain what I’m missing.

Cela vous a-t-il été utile ?

Wayne Mery
Wayne Mery
  • Moderator
  • Top 10 Contributor
more options

Solution choisie

Correct, it is not encryption with a passphrase or other credential. But you should protect/encrypt your data at rest using native OS or other capability, and you should protect/encrypt backup data.

https://support.mozilla.org/en-US/kb/protect-your-thunderbird-passwords-primary-password

Cela vous a-t-il été utile ?

Poser une question

Vous devez vous identifier avec votre compte pour répondre aux messages. Veuillez poser une nouvelle question, si vous n’avez pas encore de compte.