TB storing a random string instead of my real password for one account
Having TB 128.5.2esr (64-bit) suddenly start to occasionally complain about timing out when connecting to an outlook.office365.com account that usually works OK I had a look at the saved passwords to see if it was using the wrong one (thinking there could be problems with all the places my PC seems to save passwords - Google, Bitwarden, TB etc).
I found the same account not only had two identical entries with passwords that were last changed over a year ago but a third password that said it was changed on 29th Dec 24 which consisted of a long random string of character instead of the proper password that I set for that account. I haven't manually changed the password for a while now, nor have I been challenged to enter a password when getting messages (before or after 29th)
All my other accounts show the proper password in plain text, it also showed the password for this account that was changed a year ago in plain text - twice.
Question 1 Why does it show the password as being changed on 29th Dec when I haven't changed it, nor entered one on demand?
Question 2 Why has the password been set to what seems to be a 444 character Outlook cookie instead of the real password?
Additional info Going back to the password setting page of TB while I'm writing this post yet another password for this account has appeared. That also is set to what appears to be another Outlook cookie (different from the first one), with a date changed date of today!
I edited the password to the proper one in TB , shut TB down, reopened it and got my new messages (without a timeout this time) but my saved password is once again set to an Outlook cookie.
TB settings are Server Type: IMAP Mail Server Server Name: outlook.office365.com Port: 993 Security: SSL/TLS Authentication: OAuth2
Ŋuɖoɖo si wotia
The 'password' with 444 characters is the token stored by the OAuth2 authentication. It is labelled oauth:// in Saved Passwords. Accounts with normal password authentication are labelled imap:// or smtp://. The imap:// and smtp:// entries that show the account password for outlook.com accounts can be removed.
Xle ŋuɖoɖo sia le goya me 👍 1All Replies (6)
Ɖɔɖɔɖo si wotia
The 'password' with 444 characters is the token stored by the OAuth2 authentication. It is labelled oauth:// in Saved Passwords. Accounts with normal password authentication are labelled imap:// or smtp://. The imap:// and smtp:// entries that show the account password for outlook.com accounts can be removed.
Thank you. That makes complete sense.
Does that mean I can no longer see my saved password in TB? It's handy to check it's the right one for when things go wrong.
hmonline1 trɔe
I don't think it hurts to leave them exposed, as access to Saved Passwords is protected by your Windows user account password.
Thanks, what I really meant was I can no longer see my actual password for that account. So I can't confirm that it's the right one if I ever need to, unlike all the other passwords. Plus I have to make sure it's written down somewhere else in case I forget it and need it again. Rather negates TB's page where you can view passwords if you can't see the real thing. Or am I misunderstanding it?
By not showing the account passwords, I suppose this adds additional security, but maintaining a list of passwords should probably be done outside of any particular app. There are plenty of password managers, and even a password-protected zip file is probably sufficient.
@sfhowes, Thanks, that seems to confirm that the answer is No. For those Outlook accounts, TB's password page is pretty useless as you cannot see the passwords anyway.
In my own case, all my passwords, email and otherwise, are already stored using my favourite PW manager, Bitwarden, one of the many password managers out there (but also many of my passwords will also have been automatically stored as well in Lastpass, probably in Chrome, maybe in Edge, perhaps Amazon etc. - which really increases my security <ironic grin>).
However, in the past it has been really handy to be able to see my email passwords quickly and in plain text using TB. It saved time opening my Bitwarden PW manager and searching for each of my email account passwords one at a time. In TB they were all shown there on one screen. I used it only recently when trying out different email clients when TB refused to connect and I wanted to set up multiple accounts in those alternative clients quickly.
Personally I find it irritating when programs hide my own data (eg a password) from me as I like to confirm what I have entered. I hate those programs, like Outlook, that ask for a password, show it in asterisks as I enter it and then never show it to me again. I like to be sure I have entered it correctly, particularly if copy/pasting from a password manager. Maybe MS assume everyone is working in an office, surrounded by nefarious office workers looking over your shoulder. Perhaps they don't understand that some people work at home, on their own, and in complete privacy.
End of rant - Thanks for the reply though.
You must log in to your account to reply to posts. Please start a new question, if you do not have an account yet.