Go Back   HowtoForge Forums | HowtoForge - Linux Howtos and Tutorials > ISPConfig 2 > Feature Requests

Do you like HowtoForge? Please consider supporting us by becoming a subscriber.
Reply
 
Thread Tools Display Modes
  #11  
Old 22nd February 2007, 11:20
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,003
Thanks: 825
Thanked 5,376 Times in 4,223 Posts
Default

Quote:
schlund, 1und1, strato - non of them have users.
They all ahve users. It might be virtual users but they are users as every login needs a user. Or can I download your mails from schlund because you dont have a username and password that protects them.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
Sponsored Links
  #12  
Old 22nd February 2007, 11:23
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by till
Or think about what happens if your server gets hacked and the hacker gets all the clear text passwords.

Its a big difference security wise if a password is stored as clear text or hash that can not be uncrypted!
i know this and deep in my heard i know, you are right, but when the server is hacked the hacker can CHANGE ALL PWD to what he likes and so he can do the same stupid thinks he can do if he sees the pwd DIRECT at the screen.

To change the pwd is only one little step more (and NO problem for the hacker)


so this is IMHO not realy more secure - it is only for us to feel secure and to have a good feeling ;-)
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #13  
Old 22nd February 2007, 11:31
till till is offline
Super Moderator
 
Join Date: Apr 2005
Location: Lüneburg, Germany
Posts: 36,003
Thanks: 825
Thanked 5,376 Times in 4,223 Posts
Default

Quote:
Originally Posted by vogelor
i know this and deep in my heard i know, you are right, but when the server is hacked the hacker can CHANGE ALL PWD to what he likes and so he can do the same stupid thinks he can do if he sees the pwd DIRECT at the screen.

To change the pwd is only one little step more (and NO problem for the hacker)


so this is IMHO not realy more secure - it is only for us to feel secure and to have a good feeling ;-)
You missed the point here:

As I posted above, many users are using the same password for many things and if the password is stored in clear text, other servers and services can be hacked, e.g. ebay accounts, paypal accounts etc.

But we can make it really short here, we will not add clear text passwords to ISPConfig in a official build if not the majority of developers give their vote for it and I'am pretty sure they will not vote for kicking security overboard.
__________________
Till Brehm
--
Get ISPConfig support and the ISPConfig 3 manual from ispconfig.org.
Reply With Quote
  #14  
Old 22nd February 2007, 11:33
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by till
They all ahve users. It might be virtual users but they are users as every login needs a user. Or can I download your mails from schlund because you dont have a username and password that protects them.
yeah i know, technical they HAVE users (they need them - sure) - but for every thing you need there is one several user (technical you have one for the mail-account, one for the ftp account, one for the mysql and so on). so if two real persons share one "virtual user" (because they share the email-account) this is no problem, because this virtual user can do no more than getting his email.

and i think, that more than 99% of the customer of strato, 1und1 and schlund don't know that they HAVE users because they all are virtual and so "hidden"
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #15  
Old 22nd February 2007, 11:43
vogelor vogelor is offline
ISPConfig Developer
 
Join Date: Jan 2007
Location: Wernau, Germany
Posts: 219
Thanks: 42
Thanked 34 Times in 24 Posts
Default

Quote:
Originally Posted by till
You missed the point here:

As I posted above, many users are using the same password for many things and if the password is stored in clear text, other servers and services can be hacked, e.g. ebay accounts, paypal accounts etc.
ok - now i understand!

the "problem" is the different point of handling "users".

In MY OPINION a user at a Internet-server is not a REAL User, it is a technical construct to enable database, ftp and so on. this means, in my opinion the pwd is auto-generated and not the preference of a special person.

In YOUR OPINION a user is a real person, using its own pwd (the same using at ebay online-banking and at office) and so his pwd is used in "real life" and so a security hole if anybody know this.

In my opinion this is not a problem, because the pwd is NOT a real-life pwd and so not used at ebay and others.

and this gap of your user and my user is what i have overseen.
__________________
Der neue Luxus heißt Zeit, nicht Geld!

Firma : http://www.muv.com, http://www.computerandservice.de
Privat : http://www.vogelor.de
Reply With Quote
  #16  
Old 22nd February 2007, 11:44
martinfst martinfst is offline
Senior Member
 
Join Date: Dec 2006
Location: Hilversum, The Netherlands
Posts: 880
Thanks: 1
Thanked 18 Times in 17 Posts
Send a message via MSN to martinfst Send a message via Skype™ to martinfst
 
Default

Quote:
Originally Posted by vogelor
but at a internet-server IMHO you don't need users - you need a ftp account, you need a email-account and you need a database with a pwd but WHY users? schlund, 1und1, strato - non of them have users.
We tend to disagree then. I think they are have the wrong policy. As we're all entitled to our personal opinions I suggest we stop our discussions on the forum.
Quote:
Originally Posted by till
But we can make it really short here, we will not add clear text passwords to ISPConfig in a official build if not the majority of developers give their vote for it and I'am pretty sure they will not vote for kicking security overboard.
I second that
Reply With Quote
Reply

Bookmarks

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump

Similar Threads
Thread Thread Starter Forum Replies Last Post
Statistic not working mzo Installation/Configuration 49 20th April 2011 12:19
Anything I can do against illegal login-requests? schmidtedv Installation/Configuration 17 7th November 2008 09:25
Anon-FTP not creating user danie.robberts General 29 24th April 2007 18:35
webalizer stats not accessible only for one user gilas Installation/Configuration 4 21st July 2006 13:08
Mail Login, simple user names??? Kernal Panic Installation/Configuration 1 16th June 2006 02:45


All times are GMT +2. The time now is 20:29.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.