On 09/12/2013 11:12 AM, Peter Peltonen wrote:
Hi,
My 2 cents:
On Thu, Sep 12, 2013 at 7:22 PM, Johannes Weberhofer
<[email protected] <mailto:[email protected]>> wrote:
Am 12.09.2013 14:21, schrieb Dan McAllister:
Eric,
Why wouldn't it be possible to keep the plaintext password field
in the vpopmail database, but protect it?
I would think you could compile vpopmail to keep the cleartext
passwords, but then create an additional user in the DB (an
"admin" user) and restrict rights to view that field to the
admin user. (NOTE: You still have to have write permission to
that field from the vpopmail user so that updates/changes can be
recorded).
Just an idea...
Dan McAllister
Dan,
the problem is easily described: when someone gets access to the
database (content, dumps, backups) this person will have full access
to the plain passwords; as many users re-use the passwords that's a
very critical issue.
Would it be possible to encrypt the passwords in the db but at the same
time also offer a tool to print out the password in clear text (decrypt
it) if one knows a master password? An another option would be to make
the postmaster password a master password that could be used to access
all accounts in that domain.
I can imagine many occasions for small service providers that they need
to access their customers' webmails to check some preferences or to
debug if their email is working / not working. Changing the client's
password every time to do this feels cumbersome...
Regards,
Peter
I know it seems cumbersome, but it's really not all that bad.
Administrators should be able to change passwords, but not see in any
way what they currently are. What's the point of encrypting a password
if someone can decrypt it? That's not the way encryption works. It's a
one-way street (which is why it works).
"Who's watching the watchers?" - Enemy Of The State (movie, IIRC)
;)
--
-Eric 'shubes'
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
