Unauthorized password changes in gmail
Recently had to add my gmail password to a new computer. Upon checking it in this computer, I noticed that it had been changed from a 12 character password to one over 50 characters long. I deleted it and entered my usual 12 character-length password which was readily accepted but when I checked in password manager, it had changed again to a 50+/- long password. An example: 1/6DLGZx27RCm-DO5gzCpzvoLLJBioJIuB6z7a-LS3j_U All the new passwords start with 1/. Multiple deletions and insertions of a new password always resulted in such unauthorized changes. Not only that, when I copy the new long passwords into accounts on other computers or my phone, I always get a "wrong password" message. Review of my message log reveals only my computers as users. As it stands now, I can only have my gmail accounts open on one computer whereas I need it on three. Why is my password being changed without my input? What program could be doing it since it's being changed in Thunderbird? I recently added BitDefender but I never saw or can find anything that states it's changing my passwords. This is very frustrating and any help would be greatly appreciated!
Chosen solution
I just need to make certain that I know what my password is for a gmail account and use it on all my devices and ignore what the hashed one is, correct?
Correct. All you need to remember is your Google account password. Even though it is stored in the field where Thunderbird remembers account passwords, the OAuth2 authentication token isn't a password, and you don't need to remember it. If it get's lost or when it expires, you'll be prompted again for your Gmail password.
Setting a master password usually is a good idea. You'd need to remember that as well. http://kb.mozillazine.org/Master_password
Read this answer in context 👍 2All Replies (15)
Those look like hashes which are the same password but run thru an algorithm ( it's a security thing). See the example below:
password (12 characters, yes it's insecure but works for this example) Thunderbird1
Hashing Thunderbird1 via sha256sum returns: 8298ab9bd0a4d13acd68a8e75a2a641264318a63c0ce7d51b8de2c817981c202 (a 67 character hash of the original 12 character password/passphrase) .
To check for yourself run any sha256sum hashing tool for the OS of choice, I will show a commandline version used in *nix and macOSX:
echo 'Thunderbird1' | sha256sum => 8298ab9bd0a4d13acd68a8e75a2a641264318a63c0ce7d51b8de2c817981c202 and doing a letter count returns 67
The built-in password manager iirc uses sha256sum for all it's hashing. the 1/ is likely merely for the profile linkage.
Modified
Um, OK. But where did this algorithm come from? I didn't enable any hashing of my passwords. Is this a Thunderbird function? Maybe the recently added Bitdefender suite? If I want, where do I disable this function (if you know)? And because the hashed passwords are non-transferrable (I tried), do I just need to enter the same, say 15 character, password in all my accounts to have them hashed (to different hashed passwords, I presume)? Anyway, thanks for what you have told me!
Never mind. I missed the part where it was 50 characters long.
Modified
Um, nope. These passwords have been used for months. The last time I checked my passwords they were unencripted...until last week.
Since every other word on the Bitdefender site in encrypt, you should check with them.
Is this an IMAP account and you set up the account for OAuth2 authentication? Then this is the way it works. With OAuth2 Thunderbird remembers an authentication token, not the actual account password. Stop messing with it.
Well, I'm not "messing with it" but simply trying to figure out something I haven't encountered before. Yes, it is an IMAP account and yes, it is set for OAuth2. I did not set the account up this was, never have before, and don't have a clue as to how it got set to OAuth2. Am I to understand that I can reset it for "normal password" and not have it hashed? I use PLENTY long passwords that are unlikely to be hacked, i. e. totally random characters. I KISS.
Am I to understand that I can reset it for "normal password" and not have it hashed?
You could. However, this isn't recommended, as Google prefers OAuth2 as authentication method. If you revert to "normal password" you'll have to jump through other hoops to make it work. And I don't understand what your problem is with OAuth2. It actually is pretty simple from a user's perspective.
I use PLENTY long passwords that are unlikely to be hacked,
Just curious, do you use a master password so that your Gmail account password is stored encrypted in Thunderbird?
Nope, no master password. My problem with OAuth2 is that it happened without any input from me and totally unknown to me, and because my job doesn't entail detailed software knowledge, I've had to figure out what happened and what to do about it. I don't like surprises nor being told what to do, i. e., use OAuth2. As mozillaZine states: "This is really just an attempt to increase use of OAuth2, which "supports their business plan 'by supporting logging into third party web sites such as Facebook or Twitter without exposing the users password. After a while some other email providers such as Yahoo have started doing the same thing to encourage people to use their apps or webmail (instead of a 3rd party email client)." OK, cool, makes sense. But out of the blue? Not a good way to do business for the average computer user (me). So it seems as though I just need to keep my passwords for my gmail accounts in plain text somewhere else so if I need to know them, I can look them up...on the paper underneath my mouse pad (just kidding). Correct?
Few things for the OP:
1) This is NOT just out of the blue, you respectfully have just not been listening to the 'heartbeat' of "Do things more securely". 1a) While this is largely backed by Google it is actually part of a Larger security model and Standard compliance Called FIDO/UAF, which includes among many others u2f, OTP ( in HOTP & TOTP formats), and OAuth/OAuth2. If you have a modern phone on Android or iOS it has been using this logic and behavior in the background to prevent bad actors from screwing with your information.
2) So you claim to have a 50+ character password, big deal, GONE are the days where mere length is enough. It's complexity and depth of entropy that make a password (which really should these days be a passphrase) even remotely secure.
3) To backup @christ1 's comment: If you revert to "normal password" you'll have to jump through other hoops to make it work.
With Oauth/ or OAuth2 you have built in defense in the password/passphrase, setting back to less secure, among other things will result in the following:
having to set Thunderbird and most other apps (even on mobile) as 'less insecure' in google/gmail settings, which will also force you to authorize EVERY login after awhile (even from known and 'validated' machines/IPs.
Before you go assuming that it's some Google Conspiracy or plot to advance their business model, learn the logic, standards and reasonings behind things PLEASE I beg you.
Well, yes, it IS from the blue for someone who doesn't live and breathe software. And it IS from the blue if google changes the way Thunderbird stores passwords without notifying users. That said, I see the rationale behind OAuth2 and it's something I will use. Finding out info about it--for non-geek users (I mean, I build my own desktops and am more knowledgeable than probably 99% of computer users) has been a royal PITA. Most folks just write down their passwords and when their 386SX dies, they'll just re-enter the passwords or generate new ones. I really appreciate all of those who have taken the time to enlighten me about this. Thanks much! Just one question: I just need to make certain that I know what my password is for a gmail account and use it on all my devices and ignore what the hashed one is, correct? Yeah, it's a very basic question but then I (obviously) have a very basic knowledge base re: this issue!
Technically yes, however here are a few better options:
Enter it ONCE in Thunderbird ( per machine if multiples, there is another way to migrate, more below) and USE the MASTER Password option in 'Security tab' Remember the MASTER password and the others are secured cached in your Thunderbird profile.
If Multiple devices, in google or chrome enable chrome sync, this once logged in to those devices will sync your settings AND make it easier on all those devices to use chrome://setttings/passwords where you find the needed gmail password and click 'view details' to show the plaintext normal password (aka un hashed)
Staying inside the Thunderbird world you can backup your profile with all that saved in it via the above method (preferred, while not required):
Backup the entire directory mentioned below for the OS of your choice:
Windows: /Users/<USERNAME>/AppData/Roaming/Thunderbird/Profiles/somenumbers&lettters.default/
Linux: /home/<username>/.thunderbird/somenumbers&letters.default/
Mac: In Thunderbird, go to Help, Troubleshooting Information In the window that opens, under Application Basics, click on the Show Folder button, next to Profile Folder.
Chosen Solution
I just need to make certain that I know what my password is for a gmail account and use it on all my devices and ignore what the hashed one is, correct?
Correct. All you need to remember is your Google account password. Even though it is stored in the field where Thunderbird remembers account passwords, the OAuth2 authentication token isn't a password, and you don't need to remember it. If it get's lost or when it expires, you'll be prompted again for your Gmail password.
Setting a master password usually is a good idea. You'd need to remember that as well. http://kb.mozillazine.org/Master_password
I think I had the same problem here but don't understand the answer. My IMAP account password appears to have been changed (not by me to my knowledge) from type Normal to type Oath2 (starting 1/....) I've had to reset both Incoming and Sending passwords to fix gmail. Can somebody summarise what has hapended here please?
musicrab,
you're posting to a 'Solved' topic. Please start a new topic for your question. https://support.mozilla.org/questions/new