Menu
▾
▴
Re: [webmin-l] passwords in the clear
|
From: Jamie C. <jca...@we...> - 2006-12-12 22:47:06
|
On 12/Dec/2006 13:34 Barry wrote .. > Jamie Cameron wrote: > > On 12/Dec/2006 12:24 Barry wrote .. > >> I just noticed that the Edit Mailbox frame, reached from VirtualminGPL > >> displays the password in the clear next to the Leave Unchanged option. > >> > >> This is probably not a "Good Idea (TM)". > > > > Actually, I think it is :-) > > > > Virtualmin stores the plain-text password for mailbox users whenever > it can, > > as it is needed if MySQL or DAV access is enabled for a user after he > is created. > > So I figured I might as well display that password too .. after all, > anyone who > > has permissions to see it could change it anyway. > > > > - Jamie > > > Jamie - > I'd argue that saving the passwords in the clear is not a good idea > either ... It is unfortunately inevitable for some features to work :( > I'd also argue separately that having permission to change a pw is not > the same as saying you might as well display it because shoulder surfing > becomes an issue in the latter case, and since people are likely to use > weak and repeated passwords in places, showing a user's password to an > admin could be abused too... Good point - I will probably add a module config option to not display them .. - Jamie |
