Thunderbird "Unable to change Master Password"
I installed a clean OS X 10.10, installed the offered Thunderbird, 38.5, copied the profile from my previous installation, which used 31.7, launched profile manager and pointed it at the copied previous profile, launched Thunderbird, >Preferences>Security, checked Use a master password. Current password: (not set), can't be changed. Enter and re-enter password used with previous profile. OK.
Password change failed Unable to change Master Password.
I find no help or other information on this.
What to do? (No help at support.mozilla.org. Or none that I can find.)
All Replies (19)
There is a procedure by which you can reset (i.e. clear) the Master Password but doing so also clears all the stored passwords. Would this be of any use to you?
Thanks for the quick holiday response, Zenos. I apologize. I was not clear that my goal is to continue to use Thunderbird with my encryption certificate and private key and my large collection of certificates from the people I work with.
I thought it would be straightforward to point Thunderbird at the (copied) profile, when it would ask for the password.
Possible clue: I was using an earlier version of Thunderbird. I tried to find the earlier version, 31.7 on mozilla.org, hoping this was a problem with some later version changing what a profile is expected to be. But I can't seem to find anywhere on the site to download earlier versions.
The procedure I offered you resets just the stored passwords. It won't affect your certificates and encryption keys.
There was a glitch some time ago when the Master Password became inoperative after an update, but I think that would have been round about v17 if not before, maybe v3. But there is a precedent for the Master Password, specifically, going astray. More recently we had a case where the password store appeared to be empty after an upgrade.
Has anything else gone missing? You're now talking about your profile being misplaced, but if Thunderbird could not find it you'd have lost a great deal more than a Master Password. Thunderbird has never changed the profile location, except when forced to do so by changes in the OS. I'm thinking of when Windows changed the file structure from "Documents and Settings" to "Users", and from "Application Data" to "AppData". Both of these changes are largely irrelevant, since relative addressing is used with the profile itself, and the precise location is found through a symbolic address such as "%appdata%".
Older versions can be found here: https://ftp.mozilla.org/pub/thunderbird/releases/
Thanks, Zenos.
I believe I see. I use Thunderbird with only one account, so that's a password that will be lost. Easily re-entered (if I can remember it!).
But you are say that the certificates (and the contained therein public keys) of correspondents will not be lost. Nor will the authority certificates be lost. (I have two chains of those for my correspondents, which are not pre-packaged with Thunderbird.)
And I hope my certificate-cum-private key will be lost if I reset the master password. (If not, I don't understand how my private key is protected.) That is easily re-imported.
I'll make the experiment, since the worst case is I have to delete my profile and again copy in the previous profile.
Thanks again.
.......
FYI, these are the behaviors:
Send Message Error - Sending ... failed. You specified... should be ... signed, but ... either failed to find the signing cert... or has expired.
Send Message Error - Sending ... failed. You specified encryption... , but ... either failed to find the encryption cert... or has expired.
Send Message Error - Sending ... failed. Could not get password for smtp...net. ... not sent.
Get Mail hung showing: ...: Connected to pop...net. Then apparently timed out. (I was out of the room and returned to find Tbird no longer hung, but no error message (a design improvement possibility?).
You should be able to explore your certficate stores independently of the password store. Have a look under
Tools|Options|Advanced|Certificates
for s/mime certificates.
If you've been using gpg/enigmail then you probably need to look under
Enigmail|Key Management.
If Thunderbird had lost sight of the profile, you'd have been prompted to enter your email account details, and you'd have no Address Book entries. Do either of these apply?
Again, Zenos, I see I did not provide the full story in my initial question.
o I discovered the problem when I could not send signed or encrypted messages. I immediately looked to see if my certificate was there.
My certificates was (is still) empty and and People is empth; Authorities has a long list, but not several certificates of each of the two authorities that signed my correspondent's certificates. Indeed, for all my mail messages (both incoming from correspondents and outgoing from me) : Thunderbird cannot decrypt this message. The sender encrypted this message to you...
o I use the built-in PKCS encryption, not enigmail.
o Thunderbird has not lost sight of the profile.
o The address book is there, appears intact.
o The accounts are there, appear to be intact. But, of course, I can't connect to the servers on the account I use (the other is from the past).
I don't see any way to enter the account password, so can't send unencrypted, unsigned messages.
o Saved Passwords is empty.
.......
I spent about an hour working on this, then--brain running out of sugar--had my lunch. I'll send the details next.
Gewysig op
Message drafted about an hour ago, 2 pm PST.
.........................
Oops.
I went to http://kb.mozillazine.org/Master_password and, being a good boy (and a software architect with bitter experience), read the page from the start. When I got to this I stopped:
“Firefox uses: "Tools -> Options -> Advanced -> Encryption: Certificates: Security Devices: Software Security Device”),
I went to Thunderbird>Preferences and to Security Devices. I selected the first of the three NSS Internal FIBS PKCS # 11 Modules. I saw the (very embarrassing, but it has been five years) Enable FIPS button.
I enabled FIPS (Duh!). Sadly: Alert FIPS mode requires that you have a Master Password …
————
Anyway, so I read on in the article, to Resetting the master password. Did the deed. At about 1:55 pm today.
Quit Tbird and restarted.
Same message: “(not set)” Password Change Failed Unable to change master password.
A bunch of new errors at the Error Console. Four red ones at 2:05:57 to 2:05:59 pm my time. Then about 160 yellow ones, with a couple of small batches of red ones at one point, from 2:06:01 to 2:06:01. Ending with my favorite (see below in this message): A promise chain failed …
I restarted (Tbird) again. Immediately opened console. The same or similar set of messages. Two blues, no time. One red and one yellow. Then two seconds with none. Then all the rest but one within at most two seconds. Finally, followed after 6 or 7 seconds with the failed promise.
Tried to set the master password again. Same problem. Nothing added at Error Console. Closed and reopened Error Console. No change.
It appears my problem does not report on the console.
==
FYI, (before I set the master password, there was a long log of errors, warnings, and blue items. I estimate around 170. Many of them seem (repeat: seem) to be unrelated.* Some definitely are. See a couple of examples below. I don’t see any way to save the log or copy text from it, or I would send it, just FYI.
- “seem” In other words, may very well be related, as you certainly know from experience.
——— o A promise chain failed to handle a rejection. Did you forget to ‘.catch’, or did you forget to ‘return’? o uncaught exception: initialization failed o NS_ERROR_FAILURE … 0x80004005 … o NS_ERROR_XPC_GS_RETURNED_FAILURE … 0x80570016 … nsIJSCID.getService]…
Gewysig op
The end of the previous post seems to be the result of a bug or design feature in Apple TextEdit. Here is what it looks like in the TextEdit window.
o A promise chain failed to handle a rejection. Did you forget to ‘.catch’, or did you forget to ‘return’? o uncaught exception: initialization failed o NS_ERROR_FAILURE … 0x80004005 … o NS_ERROR_XPC_GS_RETURNED_FAILURE … 0x80570016 … nsIJSCID.getService]…
--- end of post ---
Gewysig op
<deleted>
Gewysig op
<deleted> (by question owner)
Gewysig op
this is only helpful for future postings. Lines starting with spaces are treated as pre-formated and not wrapped. So please don't use them for more than code.
I am thinking thAat it might be appropriate to delete the key3.db, signons.sqlite and signons.json files from the profile and then start Thunderbird. The procedure to reset should do so. But reading here I see that Firefox 31, and as it is a geko component I would assume Thunderbird moved to a JSON file. The reset procedure has not changed ever in my knowledge, not is it really documented. I am wondering if the reset is not actually resetting the JSON file. Anyway, removing all three with Thunderbird not running should force a very cold reset of master passwords and password stores.
Thanks, Matt.
I'm out of town for a couple of days. I'll try that when I get back.
If it works, I'll try copying back the key3 I want to preserve. If that causes the problem again, I can deal with that: delete all again, then set my mail server password (and import my cert+privateKey, if need be). I don't think there is anything else in key3. You have not asked me to delete cert8, which has all the certs I would prefer not to loose.
crummyUserInterface said
If it works, I'll try copying back the key3 I want to preserve.
These days key3 only contains the master password. It was replaced in V3 with the SQLIte file. Signons.sqlite contain all the actual credentials and in recent versions this has been migrated to the JSON file.
It is the migration to the Json file that I think might have gone to god. You might even find resetting signon.importedFromSqlite as discussed for Firefox may prompt an improvement all by itself.
This is core code (Password manager Certificate store), so in almost all cases Firefox, Thunderbird and Sea Monkey share that same core code,
It is actually one of the strengths and greatest weaknesses of Thunderbird in a community Development scenario we find ourselves in. Mozilla looks after the real security stuff and we piggy back. Mozilla breaks Thunderbird with their changes and are not interested in fixing the breakage because Thunderbird is a community project..
OK, Matt. I'll try two things in this order, each with Thunderbird not running, then starting Thunderbird and reporting the situation.
- resetting signon.importedFromSqllite
- deleting key3.db, signons.sqlite, and signons.json
.......
My goal is to not lose my large collection of correspondent and authority certificates. (The authority certificates I am concerned about are not distributed with Thunderbird nor with Firefox.)
I understand that these fixes will require reentering the mail account password and my e-mail certificate+private key file.
Hmmmm... At Thunderbird>Preferences>Advanced>General>ConfigEditor... I see no signon.importedFromSqllite.
I have Tbird 38.5.0 and there are six items starting with 'signon.' , none of which seem to have anything do do with SQLlite. I guess we should not be surprised, since that fits with 38 not looking for and importing from signons.sqllite.
While we are on this topic, my profile does have a signons.sqllite, modification date 18 November, and a signons.json, created a few minutes ago.
Anyway, on to deleting the three files.
(By the way, gefore attempting to reset the config entry, I tried again. I tried it twice, and errors were logged both times:
NS_ERROR_FAILURE ... 0x800004005 ... [nsIPK22Token.initPassword ... crypto-SDR.js
uncaught exception: Initialization failed
NS_ERROR_SPC JS_THREW_STRING: ... failed when calling method [nsILoginManagerStorage::initalize ... nsLoginManager.js
)
Oops. After quitting Tbird 38, I didn't see a signons.json. I again started Tbird and attempted the password reset. After quitting, again no signons.json.
I believe I was wrong to report that there was ever a signons.json. I think I was seeing session.json.
So. I deleted key3.db and signons.sqllite.
(I did not delete signons3.txt.)
Password Change Failed Unable to change Master Password.
.................
I did this next: - deleted the profile - installed a fresh copy of the previous profile (after confirming the profile works, using my boot drive clone, running 31.7.0). - deleted Thunderbird.app - following what I take to be the list of instructions for OS X at https://support.mozilla.org/en-US/kb/uninstall-thunderbird did nothing else. (That page would benefit from a heading for each list!) - installed 31.7.0 (thanks for the link!) - started Thunderbird
After setting itself up,Tbird immediately asked for my master password (as 31.7 had been doing).
It works as advertised. (Seems to. So far. I can send and receive mail to myself and can send encrypted to one correspondent. No further testing.)
I won't try letting Tbird upgrade. The reason I had stayed at 31.7.0 is because of troubles that started with the next version. I retreated to 31.7 at that time and turned off updates.
I'll leave updates off, unless you have something else you want me to try.
Thanks.
UPDATE
I am having no troubles with Thunderbird 31.7.0.
I'll stick with this version until there is some process that will allow me to get back on the release update channel without losing all my stored certificates (Your Certificates back to 2005, 180 People certificates from correspondents, and 18 Authorities certificates not included with Thunderbird).
Thanks for sticking with me. Cordially, Joaquin
crummyUserInterface,
You seem to have a good understanding of what's happening with your issue and what's different/wrong in Thunderbird 38.
Can you please file a bug report at https://bugzilla.mozilla.org/enter_bug.cgi?product=Thunderbird&component=Security ?
It would be a great help. Thanks
Wayne, thanks for the message. I apologize for the delay in replying.
I will file a bug report.
(Perhaps after another delay. I hope not. Perhaps first simply the problem described here. Then with a description of what happens when I attempt to upgrade in a single step, from 31.7 to 31.8. (I have not tried that yet.) If that works, I guess the next one to try is 38.0.1, is that right? (32 to 37 all end with b1. Does that mean beta?) )