#1  
Old 16th March 2007, 00:46
Agosto Agosto is offline
Junior Member
 
Join Date: Jul 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Clear Passwords

This was already very discussed but seems not to have consensus and therefore I insist.
The passwords are defined by the administrator of the system and not by the user. Maybe y ou can put an option to use clear passwords or incripted. In the option of clear passwords these would be attributed automatically by the system. So there would not be the problem of knowing common passwords of the user. This waywe solve the problem of a client that have configured several programs, for example for access to a ftp area, and don't remember the password and would have to reconfigure all the programs. Perhaps you can also separate the ftp passwords of the email passwords … This will help a lot.


Agostinho
Reply With Quote
Sponsored Links
  #2  
Old 16th March 2007, 19:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

I'm sorry, but we won't store clear-text passwords in the database. It's a huge security risk!
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 19th March 2007, 13:04
Agosto Agosto is offline
Junior Member
 
Join Date: Jul 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

And if while installing the ISPconfig it creates an algorithm that allows to store the password in a safe form but also to recreate them?
Reply With Quote
  #4  
Old 19th March 2007, 14:52
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,747 Times in 2,578 Posts
Default

But if you can recreate them, they aren't safe...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 21st March 2007, 01:56
Agosto Agosto is offline
Junior Member
 
Join Date: Jul 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

they are not clear to any one that connect to the database. And the "code" can be diferent for each instalation. This way no one can recreat the password of other system. Only that system can recreat it and resend it to the user. The passwords with md5 can also be "recreated". At least there can be an option to use md5 or other encryptation. In my case, like in many cases, I only use the system for a few (about 20) sites for me.
Reply With Quote
  #6  
Old 21st March 2007, 12:13
AlArenal AlArenal is offline
Senior Member
 
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts
Default

I totally agree with Falko. Passwords have to be stored as safe as possible on the server. Everything else compromises security and therefore is not an option at all.

You can think about mechanisms to automatically create new passowords and send them as e-mail with a confirmation link, but that's it. If someone likes to use a common password (which he shouldn't) and cannot remember (How common is it, then?) then he/she will have to change it back afterwards.

It's okay to have the system assist a user if he/she forgot a password (which should not occur anyway) but it's not okay to compromise security, not even as an hidden option in the config file.

What I would like to see is a password field for newly created items that's filled with a relatively secure random password per default. Make it an optional setting, if one Admin doesn't like it and/or let him/her define the rules for passwords like "must contain digits", "must contain special characters", "must be at least x characters long", "must contain upper and lower case", etc.
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
md5 passwords enabled with webalizer and awstats add-on Rustin Installation/Configuration 1 6th January 2007 16:33
phpmyadmin - password in clear text Qrup Installation/Configuration 6 21st June 2006 21:37
Condition of MD5 passwords as of 2.2.2 Rustin Installation/Configuration 1 10th May 2006 20:28
[2.2.0] My patch for more secure passwords bjmg General 3 28th March 2006 17:05
How to activate MD5 passwords? popeye Installation/Configuration 12 10th March 2006 09:21


All times are GMT +2. The time now is 07:38.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.