Passwords

Note

Both Firefox and Thunderbird store their Master Passwords separately. If you happen to import from an older Netscape or Mozilla profile and set a master password in that profile, Firefox and Thunderbird both inherit that master password.

The Password Management section of Thunderbird can be accessed by going to Tools | Options | Advanced. Under the Saved Passwords section, you can manage your Stored Mail password settings as well as set a Master Password for your account. Note that the Password Manager functionality in Thunderbird is based on the same principles as those in Firefox, so there will be some overlap here between what is discussed in Chapter 2, "Protecting Your Security and Privacy." I have elected to go into a little more depth discussing the Master Password settings than what was covered in Chapter 2.

Managing Your Stored Mail Passwords

Clicking View Saved Passwords allows you to manage your stored passwords. See Chapter 2 for more information about the Password Manager functionality as well as some screenshots.

What Is a Master Password?

A master password is a mechanism that can be used to protect different types of devices (both software and hardware devices). Both Thunderbird and Firefox have built-in Software Security devices, so you are able to use a master password to manage the information that is stored on the device (literally, the software).

If you work in an office, someone probably has the master key to the office (and, if you are like me, you are usually trying to find that person when the alarm in the Riser Room is going off for no apparent reason...and Sparky is whiningwell, that's another story...). While the Master Password is not actually the Master Key in this instance, it does protect the Master Key, which is the mechanism used to protect potentially sensitive datathings such as your email password or certificates, for example.

Why Would You Want to Set a Master Password?

You might be using a machine that other people have access to, and you don't want them to be able to download any new messages or send any messages from your account. If you have saved passwords and then set a Master Password, Thunderbird protects the saved passwords by prompting you for the Master Password when you click View Saved Passwords.

When you click Show Password in the Password Manager dialog box, Thunderbird prompts you for the Master Password before you are allowed to see the saved password information.

Setting a Master Password

In addition to being able to store your saved passwords, Thunderbird allows you to set a Master Password for your mail accounts. Follow these steps to set your Master Password:

1.	Go to Tools \| Options \| Advanced.
2.	Click the Master Password button.
3.	As shown in Figure 11-6, make sure to check the box that says "Use a master password to encrypt stored passwords." Figure 11-6. The Master Password options screen.
4.	Click Change Password.
5.	Make sure that "Software Security Device" shows in the dropdown menu.
6.	Type your password twice and click OK.

An Extra Layer of Security Encrypting Versus Obscuring

"Encrypting" data and "obscuring" data are two very different animals. If you elect to save your mail passwords by using the Password Manager functionality built into Thunderbird, this information is stored locally on your computer in a file that is fairly difficult to crack (but it can be done). If you enable the check box in the first section that says "Use a master password to encrypt stored passwords," this file is then encrypted, making it extremely difficult for someone to open or view it.

Change Master Password

As shown in Figure 11-7, clicking Change Master Password launches a screen that allows you to change or set your Master Password. Make certain to pick a password that you will rememberif you forget your Master Password and have to reset it, you will lose all of your stored passwords. It also helps you to rely on the password quality meter when selecting a passwordusing combinations of numbers, letters (uppercase and lowercase), and symbols is always a good idea. Remember, if someone gets the master password to your account, he can easily masquerade as you in a number of ways.

Figure 11-7. The Thunderbird Change Master Password screen.

FAQ: Don't Want Other People to See Your Messages?

Okay, I can't be the only one who detests people hovering over my computer and reading my mail. If you are an IMAP user, there is a way you can configure Thunderbird so that the message pane (which shows the subject, and so on, of your mail) renders as blank until you log in and enter a password. Sound cool? Head over to Appendix E, "Hacking Configuration Files," to learn how to create a user.js file, and then add these two lines to the file:

 // Password protect the message list pane    user_pref("mail.password_protect_local_cache", true);

The other option is to change the about:config line item from false to true. See Appendix E for more information on how to do this.

Master Password Timeout

You can use these settings to manage how often you want to be prompted for a Master Password. To be extra cautious, it might be wise to set the preference to "Every time it is needed."

Reset Master Password

Resetting your Master Password causes you to lose all your stored passwords as well as any certificates or keys.

Using Anti-Virus Programs with Thunderbird

Depending on which type of anti-virus program you have installed, you might want to consider performing scans on incoming email messages as well as outbound messages (to make sure that you are not transmitting a virus).

Email can be a little trickier to scan, depending on how and where your email program stores your email. Some anti-virus programs can't tell the difference between when a single email is infected or when an entire inbox or folder may be infected.

To make sure that you have a good anti-virus experience, you should make sure that you have an anti-virus program that is compatible with Thunderbird. For a list of programs that are compatible with Thunderbird, go to http://kb.mozillazine.org/Thunderbird_:_FAQs_:_Anti-virus_Software.

I have personally used the free version of AVG's Anti Virus (http://free.grisoft.com/doc/1) to scan incoming and outbound mail with Thunderbird 1.0 and experienced no problems.

TOOL KIT: Thunderbird Extension for Sender Verification: An Extension to Protect Yourself Against Phishing

The Thunderbird Extension for Sender Verification plugs into Thunderbird to help prevent the practice known as "phishing," which has become a widespread problem on the Internet. Phishing is a practice whereby you may get an email, purportedly from Citibank or AOL (these are two examples; there are countless others), that is not really sent by them and asks for your credit card number, password, or other sensitive information. These emails are often so cleverly designed that it is difficult to tell that they are fraudulent.

Note: If you are looking for the Firefox equivalent of this extension, see Chapter 7, "Customizing Firefox with Third-Party Extensions and Themes," for a discussion of Spoofstick.

This extension helps identify whether the sender of the email that appears in the "From" portion of the header was actually the domain sender of the email. It does this by attempting to verify the domain of the sending entity. For example, if generic@domain.com sends an email, the extension can report whether the email is coming from an @domain.com email domain. Note that this extension cannot check whether a generic or any other @domain.com user was actually the person who sent the email. Remember, this extension is one way to help you recognize suspicious emails, but just because you get a positive verification on an email doesn't mean that it is necessarily a legitimate email.

Because this extension performs verification, the author does caution that information is sent to his web server in order to complete the verification. If you are not comfortable with this, you have a few choices of other ways that this can be done. Go to http://taubz.for.net/code/spf/ to read the FAQ that explains other information regarding the extension. As this book goes to press, the Thunderbird development team is working on integrating phishing support directly into the application, so there is a good chance there will be another alternative available to try to combat this problem down the road. Note that banks and financial institutions will never ask you to reconfirm user account data via email, so be wary anytime you receive an email like this, even if it looks legitimate.

Although Thunderbird contains features that can help protect your privacy and security, there are no magic bullets for trying to eliminate practices such as phishing. Spyware, worms, and viruses may be transmitted via email messages, but you can also unknowingly download them from a website, and when installed on your computer they can affect your email that may be stored locally. Remote image blocking and configuring your spam controls are two ways Thunderbird can help, but the onus is still on you to err on the side of caution when an email just doesn't "look right." One of the best ways to protect yourself is to make sure to use a good anti-virus program to scan your inbound and outbound email and to always keep your virus definitions up to date. Be cautious, watch your step, take your vitamins, and always remember to use real maple syrup on your pancakes.