| mail recover password [message #45925] |
Wed, 12 November 2008 05:06  |
 pl991 
Messages: 77
Registered: July 2007 |
Valuable Member |
|
|
select nname,realpass,password from mailaccount;
| domain | __lxen:ejNETEs1TzVPTw== | $1$/wcz0MlH$xeCY7MXnprl.vVKZbp0Da/ |
__lxen:?? This is not realpass
Thank you
[Updated on: Wed, 12 November 2008 06:06] by Moderator Report message to a moderator |
|
|
| Re: mail recover password [message #45926 is a reply to message #45925] |
Wed, 12 November 2008 05:37  |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
Passwords are encrypted. That's the correct way. You can reset password.
On Wed, Nov 12, 2008 at 10:06:43AM -0000, Kris wrote:
>
>
> select nname,realpass,password from mailaccount;
>
> | domain | __lxen:ejNETEs1TzVPTw== | $1$/wcz0MlH$xeCY7MXnprl.vVKZbp0Da/ |
|
|
|
|
| Re: mail recover password [message #45930 is a reply to message #45929] |
Wed, 12 November 2008 05:46 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
| Quote: |
> some of passwords are real passwors some of them encrypted.
|
Lxadmin will slowly encrypt EVERYTHING. Whenever an object is loaded from the db, and then saved back, the passwords will be encrypted.
| Quote: |
>
>
> why do you change this is stupid.
|
That's ABSOLUTELY NOT TRUE. Storing plain text passwords in the database is bad bad bad. Very very wrong, and lxadmin/hyperVM doesn't need plain text passwords to work at all. You can just set all the plain text passes to null, and lxadmin/hyperVM will work absolutely fine.
Why not start a poll on this?
| Quote: |
> I have bulid application based on passwords (addon to lxadmin and now is blocked)
|
You shouldn't build applications like that. And how were you getting the passwords anyway? You are not really supposed to access database directly, since the internal db format may change.
thanks.
|
|
|
|
| Re: mail recover password [message #45932 is a reply to message #45931] |
Wed, 12 November 2008 05:53 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
| Quote: |
On Wed, Nov 12, 2008 at 10:50:10AM -0000, Kris wrote:
>
>
> Plesk, Cpanel, Enim and other store password for DB, mail, ssh etc in database.
|
I don't think Cpanel does. The normal web hosting people are seriously fanatical, and they would revolt if cpanel did. Plesk and Ensim never listens to their customers anyway.
| Quote: |
>
> - how to retreive lost password.
> - how to add new addodns
> and others.
>
>
>
>
> It is any possiblity to give me function to restore passwords from encryopted code?
|
You are not supposed to know the passwords of your clients. That's a breach of privacy.
thanks.
|
|
|
|
|
| Re: mail recover password [message #45935 is a reply to message #45933] |
Wed, 12 November 2008 06:06 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
| Quote: |
On Wed, Nov 12, 2008 at 10:57:29AM -0000, Kris wrote:
>
>
> > Plesk and Ensim never listens to their customers anyway.
>
> You are wrong! I'm retrieving plesk,cpanel password everyday!
|
You can RESET passwords. But you cannot SEE the existing passwords. I mean, that would be serious breach of privacy and would really have legal implications.
You are not understanding the seriousness of the situation. A customer of yours can have same password for his bank account and the client account with you. So if someone gets hold of lxadmin database, he can use that to make intelligent guesses about the passwords your customer uses for his bank account.
That is a grave grave grave security threat
| Quote: |
>
> So it will be encrypted always? If yes I need to switch to other product (cpanel, Plesk).
>
> I think to buy up to 10 licenses for lxamdin unlimited domains. (within 2 weeks first license) so is very sad.
|
Yes, you are really free to use other panels. I really really do not care about selling licenses, if it leads to to compromise on some fundamental design issues.
|
|
|
|
| Re: mail recover password [message #45937 is a reply to message #45934] |
Wed, 12 November 2008 06:11 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
Comparison is done via simple crypt function, and use the password rather than realpass variable.
Below is our check_password function. The plainpass is the password you get from the client. Encpass is the password variable stored in the DB.
DO NOT use the realpass variable. That was a temporary thing we created very specifically for making some things easier. Lxadmin will work fine without the realpass and at some point, I will completely REMOVE realpass. The field itself shouldn't exist ideally.
function check_password($plainpass, $encpass)
{
if (crypt($plainpass, $encpass) === $encpass) {
return true;
}
return false;
}
On Wed, Nov 12, 2008 at 10:59:26AM -0000, Kris wrote:
>
>
> or please email me with the function to compare both text (encrypted password) I need only algorithm.
|
|
|
| Re: mail recover password [message #45938 is a reply to message #45936] |
Wed, 12 November 2008 06:12 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
I have posted the password checking function. You don't need realpass variable at all for checking passwords. Just use the password variable, which is the real encrypted pass.
thanks.
On Wed, Nov 12, 2008 at 11:08:39AM -0000, Kris wrote:
>
>
> quick questions
>
> -so what solution for me i need some how get this data from DB, it there any exception for me?
>
|
|
|
|
| Re: mail recover password [message #46001 is a reply to message #45998] |
Wed, 12 November 2008 13:20 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
encpass is the value of the password variable.
As I said many times. FORGET realpass . That is completely unnecessary.
Get the password variable, which is the encrypted password.
On Wed, Nov 12, 2008 at 05:55:52PM -0000, Kris wrote:
>
>
> Thanks
> Can you check again.
>
> <?
>
> $plainpas = 'asdasd';
>
> $encpass = '__lxen:YXNkYXNk';
>
> echo crypt($plainpas, $encpass);
> // generate __4Yr0Va7jrpI not __lxen:YXNkYXNk
> function check_password($plainpass, $encpass)
> {
|
|
|
|
|
|
|
| Re: mail recover password [message #51931 is a reply to message #51911] |
Tue, 30 December 2008 01:17 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
It is not paranoid. It is not server admin's choice either. It is a basic right of the end customer that his password cannot be seen by the server admin.
thanks.
On Tue, Dec 30, 2008 at 12:20:14AM -0000, marcoparco wrote:
>
>
> hi,
>
> you can be right about security (though it's paranoid ;),
> but WE deal with password recovery for customers everyday, and i cannot change password everytime, it's a waste of time for us (your customers)
|
|
|
|
|
| Re: mail recover password [message #51950 is a reply to message #51946] |
Tue, 30 December 2008 06:07 |
Lxhelp
Messages: 23691
Registered: July 2006 |
The Champion |
|
|
This is a subject that has been discussed a lot of times. Passwords are ALWAYS hashed with a one-way algorithm, so that it cannot be decrypted back. This is the way Unix systems store their passwords.
The point is that the client could be using the same password for his bank account, and in that case it is a very very serious security breach.
thanks.
On Tue, Dec 30, 2008 at 10:58:19AM -0000, marcoparco wrote:
>
>
> but WE create their password when creating their account, and we could sniff it when they login, when they use pop3, etc.. even if it's ssl
>
|
|
|
HyperVM & Kloxo Support
Members
Search
Help
Register
Login
Home
,
