You are here

Privacy, password protection, unsafe software

13 posts / 0 new
Last post
mart7t
mart7t's picture
Offline
Last seen: 13 years 11 months ago
Joined: 2009-07-30 07:43
Privacy, password protection, unsafe software

I use Thunderbird portable on my usb flash drive at uni and everywhere else. Privacy of email is absolutely important to protect against identity theft. Portable Thunderbird is a beautiful portable app with some really great features except for the one I need the most, and that is a password protection feature. Before accessing any emails, there needs to be a requirement to enter the correct password. I've heard some arguments that users should instead rely on user accounts within the operating system, but this is hardly relevant for a portable app since you often would not be using your own computer. Another argument is that password protection may not be a very secure type of protection, however I think most people are not hackers and most people also would not be interested enough to try and get around the password. I think the protection is mostly useful to guard against casual or amateur prying rather than professional hacking. However, even the most simple password protection has not been included in Thunderbird to my knowledge. Is there anyone else who is interested in this feature?

Chris Morgan
Chris Morgan's picture
Offline
Last seen: 9 years 6 months ago
Joined: 2007-04-15 21:08
Master password

It's called the master password.

I am a Christian and a developer and moderator here.

“A soft answer turns away wrath, but a harsh word stirs up anger.” – Proverbs 15:1

ottosykora
Offline
Last seen: 9 hours 49 min ago
Joined: 2007-10-11 17:48
will protect passwords

but of course not the mails, addresses, account settings or other data itself, mails are still stored in plain text on the drive readable for everyone.
So while it will become difficult to missuse the stored accounts (password will be missing), the mails are fully open still.

There is also an extension called 'profilepassword' , this will simply ask a password when someone tries to open the GUI, but of course also here, all data and mails and addresses etc are provided in plain text on the drive, no hacking or password cracking needed, just notepad.exe

I am still confused with why someone likes to take the extra step to enter again one more password when all data are still readable for everyone without any tricks to bypass' passwords etc.

Otto Sykora
Basel, Switzerland

mart7t
mart7t's picture
Offline
Last seen: 13 years 11 months ago
Joined: 2009-07-30 07:43
Still confused

You are not the only one who is still confused. Thunderbird as a portable app should come encapsulated in its own encrypted container or other such feature to protect "data" from being opened by a text editor. I mean come on, let's be fair dinkum about this, what kind of data do people store in their email account? As for me, I have a gmail account and I use gspace to backup all my crucial data, some of which pertains to banking and finance, as well as system logs and suchlike. Furthermore, every time you take membership in a site, they email to you your username and password and of course you don't want anyone else to access this email. So bearing all this in mind, I think in this scenario the very idea of portable email is a ridiculous notion in the first place because of its inherent security risk. It is only useful if you use email for innocuous non-personal, non-sensitive conversations, and not for 'normal' email pertaining to memberships or data backup. In which case it's not a very useful email account is it.

The only solution to this that I can find is to run portable Truecrypt and keep the Thunderbird folders inside the encrypted container. It just seems a jolly nuisance to have to run another program before I can run Thunderbird. Actually, I think webmail is far easier except when internet access is not available, but occasions and locations where this is likely to be the case are few and far in between in this day and age.

Martin

consul
consul's picture
Offline
Last seen: 1 year 2 months ago
Joined: 2007-05-02 13:47
carelessness is universal ...

in that if you would lose your usb or whatever portable hard-drive you may use, then yes, the need for encryption is a high priority.

If there are sensitive items, keep them on the server that feel is most secure and don't download them to your Local Folders.

Don't be an uberPr∅. They are stinky.

ottosykora
Offline
Last seen: 9 hours 49 min ago
Joined: 2007-10-11 17:48
right

this is one of the drawbacks of thunderbird, I assume this is something historical.

This can not be changed here, the mozilla devs have to make one day something new.

And note: Thunderbird is not a portable app itself, it is jsut one of many apps wrapped to become portable by portableapps.com.

I don't know about the behavior of other mail clients in recent times in detail, well outlook had always a kind of internal obfuscation of the contents, OE was not easy to read, but possible, earlier mail clients were simply build so they store all in some kind of plain text format. Most mail clients have infos stored more or less human readable still, apart from those 'big' once as outlook.

One can put all into a container like truecrypt, but it is not portable very much as it needs admin rights on the host machine.

There is simply no solution to the problem apart from some hardware encryption stick.

I am using: http://www.corsair.com/usb-drives/padlock.html

----
Had just quick look how other mail clients apart from outlook store data.
DreamMail: mails are in .eml format, which is simple text file, message source in fact.

Windows Live Mail, the current free mail client from MS: stores mails in .eml format

All plain text, each mail single file, with date and time.

Would probably find out that other simple mail clients like incredimail and similar toys behave compatible.

Otto Sykora
Basel, Switzerland

Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
Volume Encryption

How about the ago-old solution of putting ThunderbirdPortable (or any other app for that matter) inside a TrueCrypt/FreeOTFE encrypted container. Of course you have all the problems associated with that, namely that admin rights are required, but it is a solution if data security is paramount.

kermik
Offline
Last seen: 2 months 1 week ago
Joined: 2006-10-19 03:18
Password
Darkbee
Darkbee's picture
Offline
Last seen: 4 years 7 months ago
Joined: 2008-04-14 09:41
No Good

It was already stated that something like a master password is easily bypassed, and doesn't do anything to protect the actual data. All the emails are still readable directly from the disk.

In addition, if you look about halfway down the page on that link you'll see that it states:

MasterPassword+ Add-OnDisclaimer
This extension cannot guaranty total protection, simply because anyone can disable it even without starting the browser.

.

So, this is not the solution.

kermik
Offline
Last seen: 2 months 1 week ago
Joined: 2006-10-19 03:18
Sorry, should have read

the whole text - too quick on the draw Sad

ottosykora
Offline
Last seen: 9 hours 49 min ago
Joined: 2007-10-11 17:48
master password extension

does protect all other passwords stored in the password store of the app, it does not protect any other data as mails etc. Those remain stored in text, readable for everyone within the profile.

Otto Sykora
Basel, Switzerland

solanus
solanus's picture
Offline
Last seen: 10 years 2 months ago
Joined: 2006-01-21 19:12
The best security is hardware level

Not long ago, it would have been prohibitively expensive to get a flash drive with hardware-level security. But now, just Google "Secure Flash Drive" and you get a wide range of prices and solutions.
IronKey is still expensive, but there are plenty of others that use a variety of different security systems, including combination locks and fingerprint swipers.
A lot of these are very affordable.

Sure they are more expensive than your generic Staples flash drive, but if security is really a concern, then you should be willing to spend a little more to protect your info.

I made this half-pony, half-monkey monster to please you.

ArthurL
Offline
Last seen: 9 years 5 months ago
Joined: 2011-03-05 10:34
Use truecrypt to encrypt the

Use truecrypt to encrypt the USB or part of it. Else try OTFE as I think that overcomes to a limited extent Admin rights issues.

Log in or register to post comments