搜尋 Mozilla 技術支援網站

防止技術支援詐騙。我們絕對不會要求您撥打電話或發送簡訊,或是提供個人資訊。請用「回報濫用」功能回報可疑的行為。

了解更多

Prompted to change password encryption; is someone trying to steal my password?

more options

Recently, when opening Thunderbird, I got the following error message:

"The IMAP server (server name) does not seem to support encrypted passwords. If you just set up the account, please try changing to 'Password, transmitted insecurely' as the 'Authentication method' in the 'Account Settings | Server settings'. If it used to work and now suddenly fails, this is a common scenario how someone could steal your password."

Based on an answer to a similar post in another forum, I changed the Connection security from "None" to "SSL/TLS" and the Authentication method from "Encrypted password" to "Password". Everything seems to work now, but I didn't change the port, as prompted in the post.

I'm not familiar with how encryption works, so my first question is this:

  • Does the choice of port have any meaning to ensure that my email traffic, or at least the password, is encrypted?

Also, since it used to work before, I'm worried that someone is trying to steal my password. However, I can't understand from the error message how this would be an attempt to steal my password.

  • Can someone explain what kind of attack would render the error message above, to give me an understanding of how to protect myself? I.e. have I done something wrong, what weaknesses would have been exploited in this case etc.
Recently, when opening Thunderbird, I got the following error message: "The IMAP server (server name) does not seem to support encrypted passwords. If you just set up the account, please try changing to 'Password, transmitted insecurely' as the 'Authentication method' in the 'Account Settings | Server settings'. If it used to work and now suddenly fails, this is a common scenario how someone could steal your password." Based on an answer to a similar post in another forum, I changed the Connection security from "None" to "SSL/TLS" and the Authentication method from "Encrypted password" to "Password". Everything seems to work now, but I didn't change the port, as prompted in the post. I'm not familiar with how encryption works, so my first question is this: * Does the choice of port have any meaning to ensure that my email traffic, or at least the password, is encrypted? Also, since it used to work before, I'm worried that someone is trying to steal my password. However, I can't understand from the error message how this would be an attempt to steal my password. * Can someone explain what kind of attack would render the error message above, to give me an understanding of how to protect myself? I.e. have I done something wrong, what weaknesses would have been exploited in this case etc.

被選擇的解決方法

Does the choice of port have any meaning to ensure that my email traffic, or at least the password, is encrypted?

Yes, with Connection security "None" port 143 is used, and all email traffic to and from the IMAP server is in the clear, including your password. With Connection security "SSL/TLS" port 993 is used, and all email traffic to and from the IMAP server is encrypted, including your password. So this is what you want.

Few, if any, email providers use "Encrypted password" as Authentication method. In connection with SSL/TLS typically "Normal password" authentication is used. More and more email providers such as Google, AOL, and Yahoo are using "OAuth2" authentication.

Can someone explain what kind of attack would render the error message above, to give me an understanding of how to protect myself?

I don't know. It isn't clear to me who or what generated the error. Wrt protecting yourself, always use a strong password, ideally one generated with a password manager.

I.e. have I done something wrong, what weaknesses would have been exploited in this case etc.

Don't use Connection security "None". If an email provider doesn't support TLS, then find another provider.

從原來的回覆中察看解決方案 👍 1

所有回覆 (2)

more options

選擇的解決方法

Does the choice of port have any meaning to ensure that my email traffic, or at least the password, is encrypted?

Yes, with Connection security "None" port 143 is used, and all email traffic to and from the IMAP server is in the clear, including your password. With Connection security "SSL/TLS" port 993 is used, and all email traffic to and from the IMAP server is encrypted, including your password. So this is what you want.

Few, if any, email providers use "Encrypted password" as Authentication method. In connection with SSL/TLS typically "Normal password" authentication is used. More and more email providers such as Google, AOL, and Yahoo are using "OAuth2" authentication.

Can someone explain what kind of attack would render the error message above, to give me an understanding of how to protect myself?

I don't know. It isn't clear to me who or what generated the error. Wrt protecting yourself, always use a strong password, ideally one generated with a password manager.

I.e. have I done something wrong, what weaknesses would have been exploited in this case etc.

Don't use Connection security "None". If an email provider doesn't support TLS, then find another provider.

more options

Thank you christ1 for your detailed answer. It helped me ask the right questions when reaching out to my email provider.