#1  
Old 15th March 2007, 23:46
Agosto Agosto is offline
Junior Member
 
Join Date: Jul 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default Clear Passwords

This was already very discussed but seems not to have consensus and therefore I insist.
The passwords are defined by the administrator of the system and not by the user. Maybe y ou can put an option to use clear passwords or incripted. In the option of clear passwords these would be attributed automatically by the system. So there would not be the problem of knowing common passwords of the user. This waywe solve the problem of a client that have configured several programs, for example for access to a ftp area, and don't remember the password and would have to reconfigure all the programs. Perhaps you can also separate the ftp passwords of the email passwords … This will help a lot.


Agostinho
Reply With Quote
Sponsored Links
  #2  
Old 16th March 2007, 18:44
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,715 Times in 2,557 Posts
Default

I'm sorry, but we won't store clear-text passwords in the database. It's a huge security risk!
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #3  
Old 19th March 2007, 12:04
Agosto Agosto is offline
Junior Member
 
Join Date: Jul 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

And if while installing the ISPconfig it creates an algorithm that allows to store the password in a safe form but also to recreate them?
Reply With Quote
  #4  
Old 19th March 2007, 13:52
falko falko is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 41,701
Thanks: 1,900
Thanked 2,715 Times in 2,557 Posts
Default

But if you can recreate them, they aren't safe...
__________________
Falko
--
Download the ISPConfig 3 Manual! | Check out the ISPConfig 3 Billing Module!

FB: http://www.facebook.com/howtoforge

nginx-Webhosting: Timme Hosting | Follow me on:
Reply With Quote
  #5  
Old 21st March 2007, 00:56
Agosto Agosto is offline
Junior Member
 
Join Date: Jul 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
Default

they are not clear to any one that connect to the database. And the "code" can be diferent for each instalation. This way no one can recreat the password of other system. Only that system can recreat it and resend it to the user. The passwords with md5 can also be "recreated". At least there can be an option to use md5 or other encryptation. In my case, like in many cases, I only use the system for a few (about 20) sites for me.
Reply With Quote
  #6  
Old 21st March 2007, 11:13
AlArenal AlArenal is offline
Senior Member
 
Join Date: Feb 2007
Location: Germany
Posts: 104
Thanks: 1
Thanked 5 Times in 5 Posts
Default

I totally agree with Falko. Passwords have to be stored as safe as possible on the server. Everything else compromises security and therefore is not an option at all.

You can think about mechanisms to automatically create new passowords and send them as e-mail with a confirmation link, but that's it. If someone likes to use a common password (which he shouldn't) and cannot remember (How common is it, then?) then he/she will have to change it back afterwards.

It's okay to have the system assist a user if he/she forgot a password (which should not occur anyway) but it's not okay to compromise security, not even as an hidden option in the config file.

What I would like to see is a password field for newly created items that's filled with a relatively secure random password per default. Make it an optional setting, if one Admin doesn't like it and/or let him/her define the rules for passwords like "must contain digits", "must contain special characters", "must be at least x characters long", "must contain upper and lower case", etc.
Reply With Quote
  #7  
Old 22nd March 2007, 00:36
Agosto Agosto is offline
Junior Member
 
Join Date: Jul 2006
Posts: 12
Thanks: 0
Thanked 0 Times in 0 Posts
 
Default

I really don't understand. The passwords are created by the "system administrator" and not by the user, sow they are not "common" to the user. And if you use rules for the password they can't be a user common password because every site uses different rules. The passwords are used to configure any email or ftp program that store it and not for authentication in any page. Many of the users use it one time to configure the program and don't know how to change the password. They just use the one the administrator give theme. This is the problem of don't remember the password because they don't use it every day, only when they have problems with some program and need to reconfigure it again. I have a client that use ftp for communications between 4 stores. If we ask me for the password because we need to reconfigure one store I will give him a new one and he have to change the configuration on all the stores. A solution can be an option to use user defined password or system passwords and in this case the passwords are created by the system and can't be changed by the user. This way you never have common user passwords.
This is my idea from my experience and I my last replay for this
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
md5 passwords enabled with webalizer and awstats add-on Rustin Installation/Configuration 1 6th January 2007 15:33
phpmyadmin - password in clear text Qrup Installation/Configuration 6 21st June 2006 20:37
Condition of MD5 passwords as of 2.2.2 Rustin Installation/Configuration 1 10th May 2006 19:28
[2.2.0] My patch for more secure passwords bjmg General 3 28th March 2006 16:05
How to activate MD5 passwords? popeye Installation/Configuration 12 10th March 2006 08:21


All times are GMT +2. The time now is 09:00.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.