Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Password for signing messages

7 views
Skip to first unread message

Jann Röder

unread,
Oct 19, 2009, 5:52:13 PM10/19/09
to
I noticed a change from TB2 when signing messages using SMIME: In TB2 I
always had to enter my crypto password. Now I don't have to enter
anything unless I specify a general Master password, but I also only
need to enter this once per session. Is there a hidden setting that got
corrupted during the update or is this intentional. I think this is a
security issue. There should at least be an option to ask for the
password every time I want to sign a message.

Jann

Nelson B Bolyard

unread,
Oct 27, 2009, 8:08:13 PM10/27/09
to
On 10/19/09 14:52, Jann Röder wrote:
> I noticed a change from TB2 when signing messages using SMIME: In TB2 I
> always had to enter my crypto password. Now I don't have to enter anything
> unless I specify a general Master password,

Your Master password IS your crypto password.

> but I also only need to enter this once per session. Is there a hidden
> setting that got corrupted during the update or is this intentional.

The default was changed, and everyone was changed to use the new default.
You can change it back.

> I think this is a security issue. There should at least be an option to
> ask for the password every time I want to sign a message.

There is such an option. However, You may run into some buggy behavior that
will annoy you by asking you for your password very frequently, in which case
you may want to change it to the new default again.


Go into the Preferences dialog, General Tab. Click "Config Editor" button.
In the "Filter" box, type password
there you will find a bunch of preferences with the word password in the name.
You will change 3 of them. Double-click on them to change them.
Change

security.ask_for_password to 1 or 2
1 means "ask EVERY time it's needed"
2 means "ask if you haven't asked in N minutes"
where N is set below.

security.password_lifetime to your choice for N minutes
I use 5. If you "ask every time" then this number doesn't matter.

signon.expireMasterPassword to true

>
> Jann

Jann Röder

unread,
Oct 28, 2009, 8:25:44 AM10/28/09
to
The master password also protects the mail server passwords doesn't it?
I certainly don't want to enter this everytime I check my e-mail. I
thought there were different passwords for crypto and for mail server
passwords, but maybe that was a wrong impression.

Thanks for clearing that up.

Jann

Am 28.10.09 01:08, schrieb Nelson B Bolyard:

Nelson Bolyard

unread,
Oct 29, 2009, 2:27:48 AM10/29/09
to
On 2009-10-28 05:25 PDT, Jann Röder wrote:
> The master password also protects the mail server passwords doesn't it?
> I certainly don't want to enter this everytime I check my e-mail.

hmm. Yes, the master password also protects mail server passwords stored
by the password manager. I think it MAY be that mail server passwords
may work differently. It may be that, once you use your mail server
password the first time, you won't be asked for the master password for
it again, regardless of the setting of security.ask_for_password and
security.password_lifetime . However, it may be that this is only true
if signon.expireMasterPassword is false. I suggest you play with those
settings a bit and let us know if you find a combination that suits you,
and if so, let us know.

Jann Röder

unread,
Nov 1, 2009, 7:43:09 AM11/1/09
to
Am 29.10.09 07:27, schrieb Nelson Bolyard:

There seems to be something wrong. I played around with those settings,
but nothing changed. I have the Master password enabled, so it asks me
for the password when I launch TB, but after that it never asks again,
no matter what the settings are.

I have
security.ask_for_password = 2
security.password_lifetime = 5
signon.expireMasterPassword = true

Jann

0 new messages