Thunderbird users who use a Master Password in the application to protect passwords may have been exposed to a password deletion issue in recent versions of the email client.
The release of Thunderbird 60.3.3 fixes the issue on all affected systems. The issue was introduced in client version 60.0 released in August 2018.
The major release introduced new functionality and made some changes to Thunderbird; one of those changes migrated the security databases key3.db and cert8.db used to store passwords and certificates to key4.db and cert9.db.
Thunderbird installations affected by the issue had saved passwords and private certificate keys deleted. The issue affected installations with master passwords. Master Passwords are not used by default but may be enabled in the Thunderbird email client to improve security.
Thunderbird users need to open Tools > Options > Security > Passwords to protect passwords with a Master Password. Just check the "use a master password" box on the page and follow the instructions to add it to the program.
The development team notes that affected users may restore a backed up version of the databases to regain access to passwords and private certificates. How that is done is not mentioned, however. The backups, with the .bak extension, are listed in the Thunderbird profile folder.
Affected users could rename the current file, e.g. key3.db, and rename the backup file key3.bak afterward. It is not clear if that is the method that the team suggests; make sure you back up all files before you proceed.
Thunderbird 60.3.3 fixes three additional issues:
The version of the email client has three unresolved issues:
Users who run Thunderbird may notice that it is not offered currently when they run a manual check for updates under Help > About Mozilla Thunderbird. The official download page on the project website lists 60.3.2 as the latest version as well.
The new release is available on Mozilla's FTP though.
Tip: Find out how to migrate from Thunderbird 32-bit to 64-bit. Note that Thunderbird is offered as a 32-bit version officially only currently on Windows.
Advertising revenue is falling fast across the Internet, and independently-run sites like Ghacks are hit hardest by it. The advertising model in its current form is coming to an end, and we have to find other ways to continue operating this site.
We are committed to keeping our content free and independent, which means no paywalls, no sponsored posts, no annoying ad formats or subscription fees.
If you like our content, and would like to help, please consider making a contribution:
Please click on the following link to open the newsletter signup page: Ghacks Newsletter Sign up
Ghacks is a technology news blog that was founded in 2005 by Martin Brinkmann. It has since then become one of the most popular tech news sites on the Internet with five authors and regular contributions from freelance writers.
> The new release is available on Mozilla’s FTP though.
a small correction: This archive has nothing to do with FTP at all since a few years. Even the still working domain http://ftp.mozilla.org is only an alias which exists for historical reasons. ;-)
This issue was predictable and could have been avoided well before ESR60 was a thing. The Unified XUL Platform had the exact same issue with an upgraded NSS (which Mozilla now has deemed a Firefox-only Component not suitable for use outside Firefox).
We solved the issue in the course of development and only Basilisk was affected due to being a rolling release but we fixed it within a few days of identifying the issue. Not the THREE months it took the Thunderbird Team to identify and solve the issue.
So the issue was well known and filed against NSS at Mozilla so there is little excuse for this on the Thunderbird side.
tbird has been asking me for the master password on start lately. not sure why.
@fcfs:
I believe that the master password option is enabled by default. If you don’t want to use it and don’t want to be bugged by that prompt, then you can go into Options->Security, click on the Passwords tab, and uncheck “Use a master password”.
If you had this disabled before, It may be that the upgrade reenabled it (I don’t use a master password myself, and I forgot if the upgrade reenabled this…)
no.. masterpw was set prior to that. before whatever was changed, it never asked for masterpw on starting tbird, only when i’m checking mail for the 1st time in session. now it asks on startup. which i guess chimes with dan says about (non master) pw being asked every start.
Would you add a way to change the color of the message window pane so that, at least in my case, switch off the white glare to a more subtle grey tone?
Yes…
Can I recomend the 64 bits edition ?
master password or no master password, Thunderbird asks for a password every time i open or refresh it, I’ve used correct passwords but it will not save them and i have to enter every time i use it. Only my desktop, my laptop is fine, very odd
Even if no master password was set in the past (so the bug shouldn’t have caused any issues), 60.3.3 seems to force users to re-enter all passwords (POP/IMAP/SMTP) for all accounts. One might wonder what the Thunderbird folks smoke before releasing such a nonsense. Maybe they worked for Microsoft before?
Thunderbird is so slow and sluggish with big IMAP accounts with many folders.. I can’t believe I ever used it. Felt like a tool from the stone age.
It was the upgrade to 60.3.3 that wiped my password. I still can’t log on to the server, some 4 hours later.