Home > Articles > Security > Network Security

This chapter is from the book

This chapter is from the book

Firefox and Thunderbird GarageFirefox and Thunderbird Garage

Learn More Buy

This chapter is from the book

This chapter is from the book

Firefox and Thunderbird GarageFirefox and Thunderbird Garage

Learn More Buy

Passwords

The Password Management section of Thunderbird can be accessed by going to Tools | Options | Advanced. Under the Saved Passwords section, you can manage your Stored Mail password settings as well as set a Master Password for your account. Note that the Password Manager functionality in Thunderbird is based on the same principles as those in Firefox, so there will be some overlap here between what is discussed in Chapter 2, "Protecting Your Security and Privacy." I have elected to go into a little more depth discussing the Master Password settings than what was covered in Chapter 2.

NOTE

Both Firefox and Thunderbird store their Master Passwords separately. If you happen to import from an older Netscape or Mozilla profile and set a master password in that profile, Firefox and Thunderbird both inherit that master password.

Managing Your Stored Mail Passwords

Clicking View Saved Passwords allows you to manage your stored passwords. See Chapter 2 for more information about the Password Manager functionality as well as some screenshots.

What Is a Master Password?

A master password is a mechanism that can be used to protect different types of devices (both software and hardware devices). Both Thunderbird and Firefox have built-in Software Security devices, so you are able to use a master password to manage the information that is stored on the device (literally, the software).

If you work in an office, someone probably has the master key to the office (and, if you are like me, you are usually trying to find that person when the alarm in the Riser Room is going off for no apparent reason...and Sparky is whining—well, that’s another story...). While the Master Password is not actually the Master Key in this instance, it does protect the Master Key, which is the mechanism used to protect potentially sensitive data—things such as your email password or certificates, for example.

Why Would You Want to Set a Master Password?

You might be using a machine that other people have access to, and you don’t want them to be able to download any new messages or send any messages from your account. If you have saved passwords and then set a Master Password, Thunderbird protects the saved passwords by prompting you for the Master Password when you click View Saved Passwords.

When you click Show Password, Thunderbird prompts you for the Master Password before you are allowed to see the saved password information.

Setting a Master Password

In addition to being able to store your saved passwords, Thunderbird allows you to set a Master Password for your mail accounts. Follow these steps to set your Master Password:

  1. Go to Tools | Options | Advanced.

  2. Click the Master Password button.

  3. As shown in Figure 11-6, make sure to check the box that says "Use a master password to encrypt stored passwords."

  4. Click Change Password.

  5. Make sure that "Software Security Device" shows in the drop-down menu.

  6. Type your password twice and click OK.

Figure 11.6

Figure 11-6 The Master Password options screen.

An Extra Layer of Security—Encrypting Versus Obscuring

"Encrypting" data and "obscuring" data are two very different animals. If you elect to save your mail passwords by using the Password Manager functionality built into Thunderbird, this information is stored locally on your computer in a file that is fairly difficult to crack (but it can be done). If you enable the check box in the first section that says "Use a master password to encrypt stored passwords," this file is then encrypted, making it extremely difficult for someone to open or view it.

Change Master Password

As shown in Figure 11-7, clicking Change Master Password launches a screen that allows you to change or set your Master Password. Make certain to pick a password that you will remember—if you forget your Master Password and have to reset it, you will lose all of your stored passwords. It also helps you to rely on the password quality meter when selecting a password—using combinations of numbers, letters (uppercase and lowercase), and symbols is always a good idea. Remember, if someone gets the master password to your account, he can easily masquerade as you in a number of ways.

Figure 11.7

Figure 11-7 The Thunderbird Change Master Password screen.

Master Password Timeout

You can use these settings to manage how often you want to be prompted for a Master Password. To be extra cautious, it might be wise to set the preference to "Every time it is needed."

Don’t Want Other People to See Your Messages?

Okay, I can’t be the only one who detests people hovering over my computer and reading my mail. If you are an IMAP user, there is a way you can configure Thunderbird so that the message pane (which shows the subject, and so on, of your mail) renders as blank until you log in and enter a password. Sound cool? Head over to Appendix E, "Hacking Configuration Files," to learn how to create a user.js file, and then add these two lines to the file: 

// Password protect the message list pane
   user_pref("mail.password_protect_local_cache", true);

The other option is to change the about:config line item from to . See Appendix E for more information on how to do this.

Reset Master Password

Resetting your Master Password causes you to lose all your stored passwords as well as any certificates or keys.

Using Anti-Virus Programs with Thunderbird

Depending on which type of anti-virus program you have installed, you might want to consider performing scans on incoming email messages as well as outbound messages (to make sure that you are not transmitting a virus).

Email can be a little trickier to scan, depending on how and where your email program stores your email. Some anti-virus programs can’t tell the difference between when a single email is infected or when an entire inbox or folder may be infected.

To make sure that you have a good anti-virus experience, you should make sure that you have an anti-virus program that is compatible with Thunderbird. For a list of programs that are compatible with Thunderbird, go to http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software.

I have personally used the free version of AVG’s Anti Virus (http://free.grisoft.com/doc/1) to scan incoming and outbound mail with Thunderbird 1.0 and experienced no problems.

Thunderbird Extension for Sender Verification: An Extension to Protect Yourself Against Phishing

The Thunderbird Extension for Sender Verification plugs into Thunderbird to help prevent the practice known as "phishing," which has become a widespread problem on the Internet. Phishing is a practice whereby you may get an email, purportedly from Citibank or AOL (these are two examples; there are countless others), that is not really sent by them and asks for your credit card number, password, or other sensitive information. These emails are often so cleverly designed that it is difficult to tell that they are fraudulent.

Note: If you are looking for the Firefox equivalent of this extension, see Chapter 7, "Customizing Firefox with Third-Party Extensions and Themes," for a discussion of Spoofstick.

This extension helps identify whether the sender of the email that appears in the "From" portion of the header was actually the domain sender of the email. It does this by attempting to verify the domain of the sending entity. For example, if generic@domain.com sends an email, the extension can report whether the email is coming from an @domain.com email domain. Note the extension cannot check whether a generic or any other @domain.com user was actually the person who sent the email. Remember, this extension is one way to help you recognize suspicious emails, but just because you get a positive verification on an email doesn’t mean that it is necessarily a legitimate email.

Because this extension performings verification, the author does caution that information is sent to his web server in order to complete the verification. If you are not comfortable with this, you have a few choices of other ways that this can be done. Go to http://taubz.for.net/code/spf/ to read the FAQ that explains other information regarding the extension. As this book goes to press, the Thunderbird development team is working on integrating phishing support directly into the application, so there is a good chance there will be another alternative available to try to combat this problem down the road. Note that banks and financial institutions will never ask you to reconfirm user account data via email, so be wary anytime you receive an email like this, even if it looks legitimate.

Although Thunderbird contains features that can help protect your privacy and security, there are no magic bullets for trying to eliminate practices such as phishing. Spyware, worms, and viruses may be transmitted via email messages, but you can also unknowingly download them from a website, and when installed on your computer they can affect your email that may be stored locally. Remote image blocking and configuring your spam controls are two ways Thunderbird can help, but the onus is still on you to err on the side of caution when an email just doesn’t "look right." One of the best ways to protect yourself is to make sure to use a good anti-virus program to scan your inbound and outbound email and to always keep your virus definitions up to date. Be cautious, watch your step, take your vitamins, and always remember to use real maple syrup on your pancakes.

InformIT Promotional Mailings & Special Offers

I would like to receive exclusive offers and hear about products from InformIT and its family of brands. I can unsubscribe at any time.

Overview


Pearson Education, Inc., 221 River Street, Hoboken, New Jersey 07030, (Pearson) presents this site to provide information about products and services that can be purchased through this site.

This privacy notice provides an overview of our commitment to privacy and describes how we collect, protect, use and share personal information collected through this site. Please note that other Pearson websites and online products and services have their own separate privacy policies.

Collection and Use of Information


To conduct business and deliver products and services, Pearson collects and uses personal information in several ways in connection with this site, including:

Questions and Inquiries

For inquiries and questions, we collect the inquiry or question, together with name, contact details (email address, phone number and mailing address) and any other additional information voluntarily submitted to us through a Contact Us form or an email. We use this information to address the inquiry and respond to the question.

Online Store

For orders and purchases placed through our online store on this site, we collect order details, name, institution name and address (if applicable), email address, phone number, shipping and billing addresses, credit/debit card information, shipping options and any instructions. We use this information to complete transactions, fulfill orders, communicate with individuals placing orders or visiting the online store, and for related purposes.

Surveys

Pearson may offer opportunities to provide feedback or participate in surveys, including surveys evaluating Pearson products, services or sites. Participation is voluntary. Pearson collects information requested in the survey questions and uses the information to evaluate, support, maintain and improve products, services or sites, develop new products and services, conduct educational research and for other purposes specified in the survey.

Contests and Drawings

Occasionally, we may sponsor a contest or drawing. Participation is optional. Pearson collects name, contact information and other information specified on the entry form for the contest or drawing to conduct the contest or drawing. Pearson may collect additional personal information from the winners of a contest or drawing in order to award the prize and for tax reporting purposes, as required by law.

Newsletters

If you have elected to receive email newsletters or promotional mailings and special offers but want to unsubscribe, simply email information@informit.com.

Service Announcements

On rare occasions it is necessary to send out a strictly service related announcement. For instance, if our service is temporarily suspended for maintenance we might send users an email. Generally, users may not opt-out of these communications, though they can deactivate their account information. However, these communications are not promotional in nature.

Customer Service

We communicate with users on a regular basis to provide requested services and in regard to issues relating to their account we reply via email or phone in accordance with the users' wishes when a user submits their information through our Contact Us form.

Other Collection and Use of Information


Application and System Logs

Pearson automatically collects log data to help ensure the delivery, availability and security of this site. Log data may include technical information about how a user or visitor connected to this site, such as browser type, type of computer/device, operating system, internet service provider and IP address. We use this information for support purposes and to monitor the health of the site, identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents and appropriately scale computing resources.

Web Analytics

Pearson may use third party web trend analytical services, including Google Analytics, to collect visitor information, such as IP addresses, browser types, referring pages, pages visited and time spent on a particular site. While these analytical services collect and report information on an anonymous basis, they may use cookies to gather web trend information. The information gathered may enable Pearson (but not the third party web trend services) to link information with application and system log data. Pearson uses this information for system administration and to identify problems, improve service, detect unauthorized access and fraudulent activity, prevent and respond to security incidents, appropriately scale computing resources and otherwise support and deliver this site and its services.

Cookies and Related Technologies

This site uses cookies and similar technologies to personalize content, measure traffic patterns, control security, track use and access of information on this site, and provide interest-based messages and advertising. Users can manage and block the use of cookies through their browser. Disabling or blocking certain cookies may limit the functionality of this site.

Do Not Track

This site currently does not respond to Do Not Track signals.

Security


Pearson uses appropriate physical, administrative and technical security measures to protect personal information from unauthorized access, use and disclosure.

Children


This site is not directed to children under the age of 13.

Marketing


Pearson may send or direct marketing communications to users, provided that

  • Pearson will not use personal information collected or processed as a K-12 school service provider for the purpose of directed or targeted advertising.
  • Such marketing is consistent with applicable law and Pearson's legal obligations.
  • Pearson will not knowingly direct or send marketing communications to an individual who has expressed a preference not to receive marketing.
  • Where required by applicable law, express or implied consent to marketing exists and has not been withdrawn.

Pearson may provide personal information to a third party service provider on a restricted basis to provide marketing solely on behalf of Pearson or an affiliate or customer for whom Pearson is a service provider. Marketing preferences may be changed at any time.

Correcting/Updating Personal Information


If a user's personally identifiable information changes (such as your postal address or email address), we provide a way to correct or update that user's personal data provided to us. This can be done on the Account page. If a user no longer desires our service and desires to delete his or her account, please contact us at customer-service@informit.com and we will process the deletion of a user's account.

Choice/Opt-out


Users can always make an informed choice as to whether they should proceed with certain services offered by InformIT. If you choose to remove yourself from our mailing list(s) simply visit the following page and uncheck any communication you no longer want to receive: www.informit.com/u.aspx.

Sale of Personal Information


Pearson does not rent or sell personal information in exchange for any payment of money.

While Pearson does not sell personal information, as defined in Nevada law, Nevada residents may email a request for no sale of their personal information to NevadaDesignatedRequest@pearson.com.

Supplemental Privacy Statement for California Residents


California residents should read our Supplemental privacy statement for California residents in conjunction with this Privacy Notice. The Supplemental privacy statement for California residents explains Pearson's commitment to comply with California law and applies to personal information of California residents collected in connection with this site and the Services.

Sharing and Disclosure


Pearson may disclose personal information, as follows:

  • As required by law.
  • With the consent of the individual (or their parent, if the individual is a minor)
  • In response to a subpoena, court order or legal process, to the extent permitted or required by law
  • To protect the security and safety of individuals, data, assets and systems, consistent with applicable law
  • In connection the sale, joint venture or other transfer of some or all of its company or assets, subject to the provisions of this Privacy Notice
  • To investigate or address actual or suspected fraud or other illegal activities
  • To exercise its legal rights, including enforcement of the Terms of Use for this site or another contract
  • To affiliated Pearson companies and other companies and organizations who perform work for Pearson and are obligated to protect the privacy of personal information consistent with this Privacy Notice
  • To a school, organization, company or government agency, where Pearson collects or processes the personal information in a school setting or on behalf of such organization, company or government agency.

Links


This web site contains links to other sites. Please be aware that we are not responsible for the privacy practices of such other sites. We encourage our users to be aware when they leave our site and to read the privacy statements of each and every web site that collects Personal Information. This privacy statement applies solely to information collected by this web site.

Requests and Contact


Please contact us about this Privacy Notice or if you have any requests or questions relating to the privacy of your personal information.

Changes to this Privacy Notice


We may revise this Privacy Notice through an updated posting. We will identify the effective date of the revision in the posting. Often, updates are made to provide greater clarity or to comply with changes in regulatory requirements. If the updates involve material changes to the collection, protection, use or disclosure of Personal Information, Pearson will provide notice of the change through a conspicuous notice on this site or other appropriate way. Continued use of the site after the effective date of a posted revision evidences acceptance. Please contact us if you have questions or concerns about the Privacy Notice or any objection to any revisions.

Last Update: November 17, 2020