Request for plain-text passwords in database

Discussion in 'Installation/Configuration' started by ispcomm, Oct 31, 2013.

  1. ispcomm

    ispcomm Member

    I see that by default the passwords in ispconfig are stored in crypt-md5 format in the database.

    My concern is mainly for mail passwords.

    The crypt-md5 requires that the password is sent in clear over the line, and this means relying on other layers of protection (ssl/tls).

    In many cases, the users are "ignorant" and thus they use plain text passwords over unencrypted channels. This being airport wifi hotspots, rogue links etc etc.

    It would be wise to allow for plain-text storage of passwords in the database, and the use of challenge-response authentication mechanisms (like cram-md5 etc), as used in most newer protocols (voip for example).

    IMHO it's more likely to have passwords stolen from the line, rather having a server hacked and passwords stolen from there.

    Is there a way to configure ispconfig to store the plain passwords instead of the crypted ones?
  2. till

    till Super Moderator Staff Member ISPConfig Developer

    No. ISPConfig dos not support insecure password storage in plaintext. If you dont want that your customers use smtp without tls, then you can configure postfix to allow only encrypted smtp connections.
  3. ispcomm

    ispcomm Member

    I understand your point... which is higly respected, but opinable.

    The issue is:

    1. it is impossible to force people to use TLS because it not commonly supported by all clients, and because it causes issues with shared hosting SSL certificates (there is no way to create a wildcard certificate for every mail.domain.ext customer domain).

    2. It is much more likely that a password is stolen from the air/line than for an attacker to hack into a server and steal all passwords. Basically, you're giving plain text passwords, many times a day for every account on the system, and there are thousands in my case. You can easily calculate the probability for one password being stolen, per day and then used to spam the world.

    3. Point 2 is particularly a problem with hosting business sites for people traveling in the eastern part of the world (like most tech companies which are our usual customers). There is issue with mobile phones connecting to open-air wifi points. Configuring these phones to accept "any tls certificate" is the only solution, but this only gives FALSE sense of security, as a MIM attack cannot be detected (the phone will accept any forged cert you give it).

    4. It is ultimately a decision to be made by the system administrator and there is no one size fits all (this is precisely what I like with ispconfig: flexibility).

    Any chance to review the official position on this? Would you accept patches against ispconfig ?
    Last edited: Nov 2, 2013
  4. ispcomm

    ispcomm Member

    The unevitable starts to happen. I migrated a small batch of 450 account to ispconfig on a small two server cluster.

    After 3 days of operation, 2 accounts have been already hacked in and used to spam. These accounts had good passwords (10 letters+numbers) and have been safe for the last 4-5 years.

    The servers are safe with encrypted password, but users are giving them in plain text to the world every time they check their mail. This cannot be true.

    I am in a multi-server, multi-seller, multi-branded environment, where each reseller uses my system with their own name and resells it to their customers.

    I cannot reveal the name of the hosting company to the end customers by forcing them to connect via ssl to a server named after the hosting company which is different to the company that sells them the service.

    I don't know how to make this more clear.... plain passwords are very bad over the internet. period. Can we fix this is ispconfig?

    EDIT: Pls. correct me if I'm wrong: All this boils down to personal preference, and to changing the mail_user_password.tform.php form (a single line change to set the encryption of the password field), and then allowing dovecot/postfix/courier etc to use the cram-md5 in addition to plain auth.
    Last edited: Nov 7, 2013
  5. till

    till Super Moderator Staff Member ISPConfig Developer

    Right, thats why you use tls to connect to smtp and imap. Plain text passwords in the database are very bad as well. When you use tls, then the passwords are always send encrypted over the internet.

    If I would knwo that ISP that I use stores passwords in plaintext, I wuld leave that service immediately. Its just grossly negligent and I guess the provider will be liable in many countries for password misuse if he acts like this.

    Btw. there ar many viruses and trojans out there lately that steal mailbox passwords from the mail clients, so this can be the case with your accounts as well.

    If you want to have an option to save cleartext passwords in the database, then feel free to make a featurerequest in the bugtracker. When it gets enough votes, then we will put it on the roadmap.

Share This Page