1

Topic: plaint text passwords

Hi,

Is there a standard way to store plaintext passwords either in addition to or to replace the hashed passwords? Any easy way to decrypt the hashed passwords.

I'm researching this for a ISP install and it mandetory that we have access to users passswords for support calls. Users often write with a problem and we need to be able to login as the user without first emailing them back to get passwords (insecure to send over email anyway).

Any ideas? So far, I've just hacked up the scripts to do it but I'm curious if there is a formal way to do this? I can't imagine running any large support system without this.

Thanks!

P.S. And yes I realize that in general storing the passwords in plaintext is a horrible idea.

2

Re: plaint text passwords

Well, dovecot SASL supports this (and so will Postfix, because it uses dovecot's authentication), PostFixAdmin does, so it's easily doable.
But, as you said, it's a horrible idea, from all points of view. If your database gets hacked, you will expose passwords for all your users. If you have a disgruntled employee, the same.

skyside wrote:

I can't imagine running any large support system without this.

I beg to differ.
1) You can setup a master account to login to all users - you won't need their passwords, but even this won't be necessary, because:
2) You have anything you need in the logs. Really, anything.
3) Logging in as the users won't really help you at all. Very rarely the problem is with the server itself, 99.999% of the time is with the user's config (crashed IMAP client, wrong host, forgot password, doesn't know to use the program, etc..). You will need remote support for this (VNC repeater, Team Viewer, etc). And when it's really a problem with the servers, you will see it in the logs, very big and very clear.

3

Re: plaint text passwords

I totally agree. Our major problem is support requests like:

"my email doesn't work" (end of message)

we of course know that it DOES work but still we need to verify just in case by doing a test login. To duplicate things 100% we need to login as them with their password just to cover that .001% when there is a problem that somehow our monitoring is mssing.

skyside wrote:

I can't imagine running any large support system without this.

I beg to differ.
1) You can setup a master account to login to all users - you won't need their passwords, but even this won't be necessary, because:
2) You have anything you need in the logs. Really, anything.
3) Logging in as the users won't really help you at all. Very rarely the problem is with the server itself, 99.999% of the time is with the user's config (crashed IMAP client, wrong host, forgot password, doesn't know to use the program, etc..). You will need remote support for this (VNC repeater, Team Viewer, etc). And when it's really a problem with the servers, you will see it in the logs, very big and very clear.

4

Re: plaint text passwords

I'd like the same function, to retrieve the passwords of our customers and store them in plaintext. We have exactly the same problems as Skyside.

As far as I know, the LDAP backend stores the password with SHA1, and MySQL with MD5. I'm tempted to run a CUDA brute force attack ... smile))

5

Re: plaint text passwords

Simply change 'default_pw_scheme' to 'PLAIN' in iRedAdmin will save PLAIN passwords in OpenLDAP.

iRedAdmin-Pro-MySQL doesn't support this yet, will consider achieving it in feature release.

6 (edited by Albux 2011-02-24 03:37:55)

Re: plaint text passwords

ZhangHuangbin wrote:

Simply change 'default_pw_scheme' to 'PLAIN' in iRedAdmin will save PLAIN passwords in OpenLDAP.

iRedAdmin-Pro-MySQL doesn't support this yet, will consider achieving it in feature release.

Hello Zhang,

If I change to PLAIN in an existing installation, what will happen to existing passwords?
Will the old users be able to login?

And... where do we find the 'default_pw_scheme' ? smile smile

7

Re: plaint text passwords

As for any reader thinking of implementing this kind of "plaintext" - maybe you want read this article too: The H: Storing passwords in uncrackable form
Greetings

Mike