Thunderbird opens mail account with old password - severe problem!
Hi, after having changed my password of my email account, Thunderbird still opens my email account with my old password and receives/sends new mails without problems. I can not open my account with my old password via a browser. This is how it should work.
I have seen other topics for this problem , but none with a correct satisfying answer. Maybe I did not look good enough.
Thunderbird should not be able to open a mail account with an old password, I think this is a severe problem.
Yes I know I can use Thunderbird with a main password, but still, how is it possible that Thunderbird does not ask me for the new password of an account after I changed my password for that account.
All Replies (20)
PS, I tested the following twice
Changed the password of one of my email accounts
Stopping and restarting Thunderbird does not help, it still opens/sends/receives email using the old email account password.
Restarting the PC and then starting again makes Thunderbird asking me to re-enter and save all my passwords of all my hotmail and outlook accounts, but not my gmail account ???
I'm flabbergasted, now I think that when you close Thunderbird, Thunderbird remains running in the pc memory and remembers the account connections, so it does not need to re-open and does not need the passwords to re-connect.
Only when you shutdown the pc, Thunderbird really closes. But I don't understand that now the 1st time I open Thunderbird after the re-start, it asks me to re-enter/save all the passwords of my hotmail and outlook accounts instead of only the one where my password was changed.
Modified
Gmail is a bit special. If you're using OAuth2, Thunderbird will have been given a token that authenticates it. In most cases, once it has this token, it won't need your actual password.
You can test this by removing any stored passwords for the google account from the password store in Thunderbird. If it has the token, it won't care that you have removed the password.
Modified
Scary !!! In fact I did change my gmail password a few weeks ago and forgot to do this in Thunderbird, Thunderbird still access my email, the account/password list shows Oauth and my old password.
I never installed Oauth, I can't remember I did.
So Thunderbird is not safe without using the main password !!!
I think this functionality should change and untill that is done, all user should be warned to always use the main password.
For now I will no longer use thunderbird for gmail accounts. Actually I now have my doubts about the security of Thunderbird.
Modified
You had better take your argument to Gmail. They put OAuth2 and the token system in place. Thunderbird had to implement it to guarantee ongoing compatibility.
As I understand it, Thunderbird is using this security token which is independent of your password storage system.
I don't see why you think Thunderbird is particularly at fault here. If you leave your computer accessible to others and without password protection at the OS level then you have much bigger security issues to confront first.
Hi thanks for your reply, I still think that an email program should not be able to access my mail after I have changed my password, unless I also change the password in my email program.
Like I said, I now use the main password for Thunderbird, If Thunderbird had warned me for this, I would have used it from the beginning.
I removed my gmail account from Thunderbird.
A tiny bit of googling for token and OAuth shows many people asking the same question in many different contexts. This a Google thing, not a Thunderbird thing.
Also remember gmail required oauth after declaring everyone a Less Secure App. Do you feel more secure now?
I give up.
Just happy that Oauth does not influence the mailapp on my phone, as soon as I change the gmail password, I also need to change it in my phone. So I will only use my gmail account on my phone.
I have no idea how this works.
If you use imap and also OAuth2 authentication method which gmail really want you to use, then when you created the gmail imap mail account the first time, you have to use the normal password the first time on a auto launched gmail logon webpage; gmail accepts you and then generates the OAUth2 password which it saves in Thunderbird and from then onwards when you logon via Thunderbird, gmail will not ever use the normal password, it will use the OAUth2 password.
If you check your gmail mail account Account Settings then you will see that your 'Authentication Method' of choice is NOT 'Normal Password'. Altering your Normal Password is irrelevant to Gmail account when using Thunderbird because you are not using it.
You would have needed to delete the password stored for oauth and updated the Normal Password. Then restart Thunderbird to get gmail to send you to the sign in webpage to get a new oauth2 password.
This is not a Thunderbird quirk. It is gmail to wants to use OAuth2 and you who selected to use it.
I agree with you; it can be disconcerting at first because you would expect the need to update password in Thunderbird, until you realise that you are not using the password you think, you are using the oauth2 password.
Obviously you would need to use the updated password if you wanted to logon via webmail.
Like I said I will use my gmail account only on my phone where I do not have this problem.
Also I will use the main password on Thunderbird on my PC to prevent that anybody can open the password option.
Hans said
For now I will no longer use thunderbird for gmail accounts. Actually I now have my doubts about the security of Thunderbird.
Google are insisting on oAuth2.0 and over time will refuse connections in any other method by a mail client, phone etc. If you have issues take it up with them. But be warned, they call applications that do not use oAuth2.0 "less secure"
Everyone is aware of the need to have a pin on their phones, but for some reason, those same people appear to think they do not need an account password when using their computer. It matters not what connection methods are used, how your passwords are stored or if they are visible if you use account passwords on your computer. So I suggest you make use of the facilities offered by your operating system to secure your data.
Ofcourse I use an account password, ofcourse I use a pincode on my phone.
I just never expected Thunderbird would be able to access my gmail after I changed my password. I think Thunderbird should warn people for this and should advise new users upon installation of Thunderbird to always use the main password. Not everybody is a computer whizzkid.
I have never had an email program where it was so easy to list your passwords.
And now I know this, I ofcourse use a main password for Thunderbird.
And like I said before, after I changed my gmail password, my phone is not able to connect to gmail untill I change the password on my phone as well oAuth functionality or not (standard mail program on my iphone).
Modified
Hans said
And now I know this, I ofcourse use a main password for Thunderbird.
Do it properly. https://support.microsoft.com/en-au/help/13951/windows-create-user-account
I did not need to be told about passwords, I use computers since 1984. Just want Thunderbird to warn new users about the password functionality and the main password upon installation.
Modified
It is how gmail oauth works. Don't like it? Complain to gmail or use another provider. Thunderbird has nothing to do with it.
Like I said, I understand this is a gmail problem, but I think Thunderbird can educate people about this functionality.
Hans said
Like I said, I understand this is a gmail problem, but I think Thunderbird can educate people about this functionality.
Personally I see nothing to educate folk about. IF they want to live their live in blissful ignorance of how oAuth2.0 works, I do not see it as a mail clients job to educate them. This is an internet standards protocol, just as IMAP, HTTP FTP NNTP and POP are among many others. https://tools.ietf.org/html/rfc6749
We put in significant effort trying to educate folk about how their mail protocols work. I think you should be looking for a browser maker to educate folk about the downside of oAuth2.0. It is after all a web protocol.
How many people do you think have heared about or will ever hear about o2auth? I think that will not even be 1%.
I have managed to located some info on the gmail website. https://support.google.com/a/answer/6328616?hl=en
quote: When do the tokens get revoked, upon password expiry or password change? The tokens are revoked upon password change.
Judging by what gmail claim, I would have expected that when you started Thunderbird (after changing password in gmail webmail) gmail would have redirected you to a login page via a browser, at which point the oauth password was reset. This may have occurred without you realising what was happening. Perhaps you thought it was part of the gmail webmail authentication because you updated password and not realised it was actually gmail updating oauth in Thunderbird. Note that the oauth2 password would have been updated not the Normal Password. This may mean that the 'Normal Password' in Thunderbird could still look like the old one, but oauth password (which is the only password being used in Thunderbird) was updated.