Thunderbird 60.3.3 fixes password deletion issue
Thunderbird users who use a Master Password in the application to protect passwords may have been exposed to a password deletion issue in recent versions of the email client.
The release of Thunderbird 60.3.3 fixes the issue on all affected systems. The issue was introduced in client version 60.0 released in August 2018.
The major release introduced new functionality and made some changes to Thunderbird; one of those changes migrated the security databases key3.db and cert8.db used to store passwords and certificates to key4.db and cert9.db.
Thunderbird installations affected by the issue had saved passwords and private certificate keys deleted. The issue affected installations with master passwords. Master Passwords are not used by default but may be enabled in the Thunderbird email client to improve security.
Thunderbird users need to open Tools > Options > Security > Passwords to protect passwords with a Master Password. Just check the "use a master password" box on the page and follow the instructions to add it to the program.
The development team notes that affected users may restore a backed up version of the databases to regain access to passwords and private certificates. How that is done is not mentioned, however. The backups, with the .bak extension, are listed in the Thunderbird profile folder.
Affected users could rename the current file, e.g. key3.db, and rename the backup file key3.bak afterward. It is not clear if that is the method that the team suggests; make sure you back up all files before you proceed.
Thunderbird 60.3.3 fixes three additional issues:
- Slow address book search and auto-complete functionality.
- Plain text markup did not work with non-ASCII characters.
- Links were not removed when a link location was removed in the link properties panel.
The version of the email client has three unresolved issues:
- Issues when decoding messages with uncommon charsets such as cp932 or cp936. The team promises that this issue is going to be fixed in the upcoming Thunderbird 60.4.0 release.
- CalDav access to some servers is broken. Workaround is to set the preference network.cookie.same-site.enabled to false.
- Twitter chat is not working.
Users who run Thunderbird may notice that it is not offered currently when they run a manual check for updates under Help > About Mozilla Thunderbird. The official download page on the project website lists 60.3.2 as the latest version as well.
The new release is available on Mozilla's FTP though.
Tip: Find out how to migrate from Thunderbird 32-bit to 64-bit. Note that Thunderbird is offered as a 32-bit version officially only currently on Windows.
Previous Post: « Thunderbird 52 to 60 update rollout started
Next Post: Thunderbird: big plans for 2019 »
> The new release is available on Mozilla’s FTP though.
a small correction: This archive has nothing to do with FTP at all since a few years. Even the still working domain http://ftp.mozilla.org is only an alias which exists for historical reasons. ;-)
This issue was predictable and could have been avoided well before ESR60 was a thing. The Unified XUL Platform had the exact same issue with an upgraded NSS (which Mozilla now has deemed a Firefox-only Component not suitable for use outside Firefox).
We solved the issue in the course of development and only Basilisk was affected due to being a rolling release but we fixed it within a few days of identifying the issue. Not the THREE months it took the Thunderbird Team to identify and solve the issue.
So the issue was well known and filed against NSS at Mozilla so there is little excuse for this on the Thunderbird side.
tbird has been asking me for the master password on start lately. not sure why.
@fcfs:
I believe that the master password option is enabled by default. If you don’t want to use it and don’t want to be bugged by that prompt, then you can go into Options->Security, click on the Passwords tab, and uncheck “Use a master password”.
If you had this disabled before, It may be that the upgrade reenabled it (I don’t use a master password myself, and I forgot if the upgrade reenabled this…)
no.. masterpw was set prior to that. before whatever was changed, it never asked for masterpw on starting tbird, only when i’m checking mail for the 1st time in session. now it asks on startup. which i guess chimes with dan says about (non master) pw being asked every start.
Would you add a way to change the color of the message window pane so that, at least in my case, switch off the white glare to a more subtle grey tone?
Yes…
Can I recomend the 64 bits edition ?
master password or no master password, Thunderbird asks for a password every time i open or refresh it, I’ve used correct passwords but it will not save them and i have to enter every time i use it. Only my desktop, my laptop is fine, very odd
Even if no master password was set in the past (so the bug shouldn’t have caused any issues), 60.3.3 seems to force users to re-enter all passwords (POP/IMAP/SMTP) for all accounts. One might wonder what the Thunderbird folks smoke before releasing such a nonsense. Maybe they worked for Microsoft before?
Thunderbird is so slow and sluggish with big IMAP accounts with many folders.. I can’t believe I ever used it. Felt like a tool from the stone age.
It was the upgrade to 60.3.3 that wiped my password. I still can’t log on to the server, some 4 hours later.
I Karen Smith will have keep changing my password form people who love to jump up on people post in they email address my businesses and these person to be block from do so things I have brought online has be stolen by people who are jumping up on these site I wanted all of my sites to been protect from people who are theft