OCS banner and logo
Keeping clients' computers safe and profitable for over 30 years

Home Forms About Current Newsletter subscribe 
Search All Articles

Browse by Category

powered by pmc2m


Thunderbird, using a master password

Article for: Thunderbird users
Difficulty: easy
Importance: Will provide a little more protection for your Email

Email passwords are a potential security problem. If you let Thunderbird save your passwords, then anyone who has access to your computer will have access to all your email passwords. In just a few clicks they can reveal all your email account passwords. If you don't let Thunderbird save your email passwords, you must enter them every time you check your email. This is much too difficult if you have one account. It is absurd if you have multiple accounts.

So, how can you gain the security of safe passwords, without the hassle of having to enter a long password for each account? Email is important and contains sensitive information, so we want our email accounts to have strong passwords. Weak email passwords is a bad solution. Fortunately, Thunderbird provides an option. You can use a master password to encrypt your passwords. Then, you just need to enter that password and you'll have secure access to all your accounts.

Despite this being my recommended solution, there are two issues you need to understand:
  • This only encrypts your passwords saved by Thunderbird. Your emails themselves are still available to anyone who has access to your computer.
  • Thunderbird does not use current best practices to store the encrypted passwords. Unless the password is very good, a skilled hacker can break it.

You have two options:

  1. A weak master password. Normally, I wouldn't recommend a weak password, but this might still be the best solution. If you use a simple three or four character quick password to encrypt your strong email account passwords, you prevent most attacks. Malware that assumes no encryption will not work against you. An attacker who does not have software to attack a Thunderbird Master password, will be powerless against you. However, a skilled hacker could still break it. Most of you will not face a skilled hacker. So, this simple, quick solution, is probably 50 times as safe as leaving the passwords unencrypted and open.
  2. I start my day by opening Keepass. Then I use its autotype to deliver the password to my Mail program. This allows me to have a strong password. You can do the same thing with Thunderbird and use a strong password for Thunderbird, just use your password manager to deliver the password. This is the best solution, but only works if you use your password safe every day, and it works with desktop apps.

Further Reading

  • Protecting outlook PST files.
  • Protecting Intellect files. Intellect has an option to force a password (minimally secure) upon opening the program. It is in Options > Program Settings > General then select Simple Password
  • Article from Mozilla describing how they encrypt passwords. Essentially, they explain that they don't use current best practices.

Date: January 2019

Creative Commons License
This article is licensed under a Creative Commons Attribution-NoDerivs 3.0 Unported License.

  Please direct questions/suggestions about website to the webmaster