cleartext db passwords -> hashed

Discussion in 'General' started by pbrille, Apr 24, 2013.

  1. pbrille

    pbrille New Member


    when I looked manually into my ispconfig database I spotted that there are quiet a lot DB users with cleartext passwords. I simply don't want this (of course).

  2. till

    till Super Moderator Staff Member ISPConfig Developer

    This has been changed in current ispconfig versions. Create a new db user after you updated to a current versiona and you will see that.
  3. pbrille

    pbrille New Member


    I'm talking about existing users. They have cleartext passwords stored in the DB. That's unacceptable.
    There are quite a lot users in there, so recreating the user is not an option.
    Which hashing algorithm has been used? With or without salt? Which encoding? If you tell me I will write a script on my own.

    Thank you
  4. till

    till Super Moderator Staff Member ISPConfig Developer

    The passwords of mysql users are encrypted with the mysql password() command.
  5. Ben

    Ben ISPConfig Developer ISPConfig Developer

    I can just confirm that for all my entries in that table.
  6. till

    till Super Moderator Staff Member ISPConfig Developer

    The mysql passwords in older versions were stored in cleartext. This had been changed to hashed passwords since 3.0.4.x versions of ispconfig if I reember correctly. Some mysql user editing commands required a cleartext password, so we had to keep the password in clertext. In 3.0.4 we found a way to work around the mysql commands and were able to switch to encoded passwords for new and updated mysql users.
    Last edited: Apr 26, 2013

Share This Page