#1  
Old 16th May 2008, 15:10
PoleCat PoleCat is offline
Member
 
Join Date: Mar 2007
Posts: 57
Thanks: 6
Thanked 3 Times in 3 Posts
Default User Passwords

Hi,

Pretty much every second or third day I have users calling me asking me what their password is for their email. Problem is I have 3 engineers working on the ISPC control panel updating/adding and making changes regularly for customers.
We don't keep passwords written down on paper of engineers pc's as its a security risk. So when a client phones in asking for their password, we gotta go in and change it every time. This consumes time and is rather frustrating.

I would like to see a ISPC system where you can view the user/email passwords when you click on the user&email tab and maybe in there have a "view passwords" button to view a list of all their passwords? This will in turn help customers also lookup their own email passwords.

Thoughts?
Reply With Quote
Sponsored Links
  #2  
Old 16th May 2008, 23:19
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
Default

In the current ISPConfig version, the passwords are stored nowhere in the database - they are in /etc/shadow only...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 17th May 2008, 01:29
flipkick flipkick is offline
Junior Member
 
Join Date: May 2008
Location: Hamburg, Germany
Posts: 24
Thanks: 0
Thanked 3 Times in 2 Posts
Send a message via ICQ to flipkick Send a message via MSN to flipkick
Default

What about sending your customers the password in a salutatory email? And maybe your team via CC? There's an option for this in ISPConfig.
Reply With Quote
  #4  
Old 17th May 2008, 13:20
PoleCat PoleCat is offline
Member
 
Join Date: Mar 2007
Posts: 57
Thanks: 6
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by falko
In the current ISPConfig version, the passwords are stored nowhere in the database - they are in /etc/shadow only...
Will version 3.0 have the passwords stored in the sql database?
I really think this will be a good feature, and will tremendously help with password management.
Reply With Quote
  #5  
Old 17th May 2008, 13:32
PoleCat PoleCat is offline
Member
 
Join Date: Mar 2007
Posts: 57
Thanks: 6
Thanked 3 Times in 3 Posts
Default

Quote:
Originally Posted by flipkick
What about sending your customers the password in a salutatory email? And maybe your team via CC? There's an option for this in ISPConfig.
Yes I do send the customers the passwords, but being customers they loose it, or its easier for them to call up and ask for the password. I cant tell the customer he's a freegin idiot for not having a photographic memory to remember his password.

We send cc emails to a central email account, though this is time consuming to admin this and compile a excel spreadsheet with passwords and keeping them all up to date, then only 1 person can access the spreadsheet else it will be out of sync etc etc etc. Also have passwords on file is not how I want to run the business, a disgruntled employee can easily e-mail or copy the file, go home and do some serious damage, or read the email for employees months after he dismissed. I cant change the passwords of every customer (over 200) when a employee leaves.

When I used to work for a hosting company in London, they had the passwords all stored for all servers in a sql database, and you had to click on "view passwords" under that account to access it. Once you have clicked it the system logs the person (sql user account that is logged in) that requested the passwords in a log which is viewable in the page when you click "view passwords". That way you can see what employee made what changes to the passwords and when and it can help you trouble shoot any errors or password changes that might/should not of happened. etc etc. This also improves security as your employees now can see they are being logged when they view or change a password. The logging of this can also help you see if the client changed the password and if its his mistake etc etc.

Maybe I'm asking for a too advanced system.
Reply With Quote
  #6  
Old 17th May 2008, 14:24
flipkick flipkick is offline
Junior Member
 
Join Date: May 2008
Location: Hamburg, Germany
Posts: 24
Thanks: 0
Thanked 3 Times in 2 Posts
Send a message via ICQ to flipkick Send a message via MSN to flipkick
Default

Quote:
Originally Posted by PoleCat
Will version 3.0 have the passwords stored in the sql database?
I really think this will be a good feature, and will tremendously help with password management.
It will be a bad feature to keep plain passwords in mysql databases considering security issues. You'll have a big problem when someone hacks ALL secret password with a single exploit.

It's quite better to set the user a new password like the big hosting companies i know do it. A "lost password" function for the user would also make sense.
Reply With Quote
  #7  
Old 17th May 2008, 14:27
flipkick flipkick is offline
Junior Member
 
Join Date: May 2008
Location: Hamburg, Germany
Posts: 24
Thanks: 0
Thanked 3 Times in 2 Posts
Send a message via ICQ to flipkick Send a message via MSN to flipkick
Default

Quote:
Originally Posted by PoleCat
Maybe I'm asking for a too advanced system.
It's just too insecure. I don't know any mysql based application storing plain passwords. This is unreasonably dangerous.
Reply With Quote
  #8  
Old 17th May 2008, 16:04
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,740 Times in 2,575 Posts
 
Default

Quote:
Originally Posted by flipkick
It will be a bad feature to keep plain passwords in mysql databases considering security issues. You'll have a big problem when someone hacks ALL secret password with a single exploit.

It's quite better to set the user a new password like the big hosting companies i know do it. A "lost password" function for the user would also make sense.
I second that.
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
Anything I can do against illegal login-requests? schmidtedv Installation/Configuration 17 7th November 2008 09:25
Ruby / FastCGI Problem Chad Server Operation 1 8th March 2008 20:38
Record user passwords catdude Feature Requests 0 19th September 2007 15:51
log files cruz Technical 3 15th May 2007 14:35


All times are GMT +2. The time now is 14:53.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.