Hello Michael,
On Sun, 5 Mar 2000 at 10:46:41 [GMT +0100], you wrote:
MW> Is there any way for an administrator to reset/set a password for
MW> an account, whose user has forget his password?
Here is a repost of a message I sent quite a while back concerning the
real lack of security in TB using passworded accounts.
You should be able to figure out from this how to do what you need.
------
I got bored today and started playing with the account passwords. I
remember someone posting a while back that you could move a folder
from a passworded account to another account and read the messages in
TB.
After confirming this, and confirming that an account password is
stored in the account.cfg file, I did the below:
1. Made a backup of the account.cfg in case I screwed up.
2. In TB, I passworded an account
3. Using Textpad, I opened both the account.cfg and my backup
4. I compared the sections where the account password appeared and
then just deleted the account password in account.cfg, I also
removed some blank characters (or they appeared that way in
Textpad.) It happened to be three blank characters, and wouldn't
you know it, I was short three null characters in the resulting
account.cfg line where the account password had appeared.
5. Just for grins, I didn't replace them and saved account.cfg
6. Closed and restarted TB
7. The passworded account was no longer passworded.
This is a major bummer in two aspects.
The first is that obviously a moved message.msb should not be readable
by TB when moved to another account.
Speaking of which, I couldn't figure this one out. After passwording
an account, the messages.msb appears encrypted (at least to plaintext
editors). After moving the "encrypted" messages.msb to an unpassworded
account which TB can then read, the messages.msb file still appears
"encrypted" to plaintext editors. Is it encrypted or what? If so, it
appears independent of the account password, so maybe just an XOR or
something which TB can recognize and undo.
Secondly, although I realize that moving the messages.msb is simpler
than editing out the password, there should be some sort of hash or
checksum that will recognize that something is missing in the
account.cfg. Granted, every time that you change an account setting,
the checksum/hash would have to be recalculated, but once you have an
account set up, you really don't mess with its properties after that
(other than to maybe add quick templates or cookies (if not using an
external cookie file.)
My point is that I don't see the use of password protecting your
account except to keep nosey but non-computer savvy people from
reading your mail.
------
Leif Gregory
--
TBUDL/TBBETA List Moderator
ICQ 216395 <[EMAIL PROTECTED]>
Web Site <http://www.pcwize.com>
TBUDL FAQ <http://www.pcwize.com/thebat/faq.shtml>
PGP Key ID:
0x8604279A (DH/DSS)
Fingerprint:
9E16 4316 FA42 5DC6 EB1D D0ED D37A 858A 8604 279A
Using The Bat! 1.41 Beta/3 under Windows 98 4.10 Build 2222 A
on a Pentium III 500 MHz notebook with 128MB.
Tagline of the day:
Percussive maintenance - The fine art of slapping the crap out of an
electronic device to get it in working order again.
--
--------------------------------------------------------------
View the TBUDL archive at http://tbudl.thebat.dutaint.com
To send a message to the list moderation team double click here:
<mailto:[EMAIL PROTECTED]>
To Unsubscribe from TBUDL, double click here and send the message:
<mailto:[EMAIL PROTECTED]>
--------------------------------------------------------------
You are subscribed as : archive@jab.org
