Menu
▾
▴
Re: [webmin-l] passwords in the clear
|
From: Barry <we...@i1...> - 2006-12-12 21:35:06
|
Jamie Cameron wrote: > On 12/Dec/2006 12:24 Barry wrote .. >> I just noticed that the Edit Mailbox frame, reached from VirtualminGPL >> displays the password in the clear next to the Leave Unchanged option. >> >> This is probably not a "Good Idea (TM)". > > Actually, I think it is :-) > > Virtualmin stores the plain-text password for mailbox users whenever it can, > as it is needed if MySQL or DAV access is enabled for a user after he is created. > So I figured I might as well display that password too .. after all, anyone who > has permissions to see it could change it anyway. > > - Jamie > Jamie - I'd argue that saving the passwords in the clear is not a good idea either ... I'd also argue separately that having permission to change a pw is not the same as saying you might as well display it because shoulder surfing becomes an issue in the latter case, and since people are likely to use weak and repeated passwords in places, showing a user's password to an admin could be abused too... Best, Barry |
