We're calling on all EU-based Mozillians with iOS or iPadOS devices to help us monitor Apple’s new browser choice screens. Join the effort to hold Big Tech to account!

Search Support

Avoid support scams. We will never ask you to call or text a phone number or share personal information. Please report suspicious activity using the “Report Abuse” option.

Learn More

This is not a question. I was told to come here and "tell us what you think".

  • 5 ŋuɖoɖowo
  • 1 masɔmasɔ sia le esi
  • 1 view
  • Nuɖoɖo mlɔetɔ tanstaafl

more options

So a new change in version 78 is that "Thunderbird will now ask for OS account password before displaying saved passwords". This is akin to a business or credit card company asking me for my Social Security Number, in other words, totally unacceptable. This is a deal killer for me, I'll never update to version 78.0 as long as this "feature" is in place.

So a new change in version 78 is that "Thunderbird will now ask for OS account password before displaying saved passwords". This is akin to a business or credit card company asking me for my Social Security Number, in other words, totally unacceptable. This is a deal killer for me, I'll never update to version 78.0 as long as this "feature" is in place.

All Replies (5)

more options

Hi John. You are correct to be cautious but you misunderstand how the feature works.

This new prompt is from the OS, and the OS would NEVER supply the OS password to an application. The way it works is the application requests the OS via an API for you to confirm that you have rights on your OS to make changes, and that confirmation is passed back from the OS to the application. Thunderbird isn't doing the password checking, and never sees your OS password.

Many applications are now using this capability to protect the storage of passwords and other sensitive data on our computer, so that ONLY YOU can make the changes, not some random person who walks up to your computer. This is actually an improvement compared to Master password.

more options

I have no idea as to what the change really means, but I assume that we will now be asked for the account password when we try and view the passwords in the password manager. But I am only guessing.

more options

Wayne Mery said

Many applications are now using this capability to protect the storage of passwords and other sensitive data on our computer, so that ONLY YOU can make the changes, not some random person who walks up to your computer. This is actually an improvement compared to Master password.

this is actually handy = I hope it supports the windows 10 PIN as well - because that's the same as my master password. So it doesn't really matter whether it asks for the one or the other. I assume it won't ask if passwords aren't protected on Thunderbird.

more options

I've read all the replies to my OP, and here's a little wrench in the works I'd like to mention: What if the user's computer doesn't *have* an OS password? My system is a single user computer. I never set up a password so that I can start the computer without having to type in a password every time I turn the thing on.

Regardless, I had thought that when I tediously replaced all my legacy extensions and learned to do without some of them, that this was the end of that problem. Imagine my horror when I now learn that I'm going to have to go through all that yet again. Well, I simply won't do it. I'm going to stay with version 68 as long as I can because some of the extensions I use are mission critical and I won't do without them.

more options

This is a good alternative to the master password, however I'd like to be able to disable this feature since it adds no value for me and is just yet another thing that can go wrong. If I need more security I'd store my profile on a password protected encrypted partition using VersaCrypt. I'm much more concerned about some technician browsing my financial files etc. if I have to take my PC in for repair than I am about somebody walking up to my PC when I'm out of the room (since I live alone).

It seems rash to include this feature in Thunderbird when there isn't even a KB article about it for Firefox yet.

I don't any longer, but for a while I used KeePass as an alternative to the built-in password manager. Now that Thunderbird 78 has broken all legacy add-ons you can't use something like the KeeBird add-on to add the necessary information to the password prompt window so that Keypass can recognize what account its for. Keypass uses AES encryption with a 256 bit key. Has the encryption used for the stored passwords in Mozilla's password manager been improved? Its been notoriously bad. There are lots of free programs to crack stored Mozilla passwords.

I'd be more comfortable with this new feature if it was part of a larger effort to improve security for the stored passwords and there was some technical overview of how it worked. Is this solution based on Firefox Lockwise? I hope Mozilla isn't planning on later on forcing Thunderbird users to sync passwords with a Firefox Account.

"This new prompt is from the OS, and the OS would NEVER supply the OS password to an application."

The popup window has a "Windows Security" title. While in this case we can assume its legitimate its not exactly re-assuring . What assurance do we have that another program can't capture the password since it doesn't use a secure attention sequence?

"Many applications are now using this capability to protect the storage of passwords and other sensitive data on our computer"

Please name some popular ones that a typical user might use.