Cleartext Passwords

classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

Cleartext Passwords

Odhiambo Washington
Someone please remind me why we authenticate users using cleartext passwords with exim4u.

Why are we not using the crypt field? Anyone using crypt, please share dovecot-sql.conf, please.



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."

_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Cleartext Passwords

gldickens3
Administrator
Hi Odhiambo,

Sorry for not replying back to you sooner.  I've been away on vacation  for several weeks and just got back home.

The cleartext password dates back to the original Vexim code as Avleen Vig recently stated on the Vexim Mailing list: 

"Indeed. The storage of the 'clear' field was something one company requested way back in 2003 I think. In hindsight it was a *terrible* idea, but I was young and naive at the time."

See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html

In any event, I agree with you and Avleen that we need to get rid of the cleartext password.   Have you achieved any progress using crypt with dovecot?  Here is a "Howto" on disabling saving of passwords in clear text with Vexim:

http://axel.sjostedt.no/misc/dev/vexim-customizations/

But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless, it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in a future release of Exim4U so that the passwords are not stored in plain text.  Please let me know if you have made any progress here and, if so, would you please share your work? I would prefer not to reinvent the wheel if it isn't necessary.

Thanks,

Gordon








On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
Someone please remind me why we authenticate users using cleartext passwords with exim4u.

Why are we not using the crypt field? Anyone using crypt, please share dovecot-sql.conf, please.



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Cleartext Passwords

Odhiambo Washington
Hi Godron,

I am using Dovecot (2.2.4) with MySQL.

In my dovecot-sql.conf, I have:

default_pass_scheme = MD5-CRYPT
password_query = SELECT crypt AS password FROM users,domains WHERE
users.username = '%u' AND users.enabled = '1' AND users.type='local'
and domains.enabled='1' and domains.domain_id = users.domain_id

And I have authentication working well.

I therefore have no need for the cleartext field in the DB except that
I've graciously used it to tell users what their passwd is when they
forget - which I don't think pleases them though, because they then
fail to use strong passwords, as they will be 'known':)

Let's drop that field from the DB and any php code that stores it.



On 18 July 2013 20:55,  <[hidden email]> wrote:

> Hi Odhiambo,
>
> Sorry for not replying back to you sooner.  I've been away on vacation  for
> several weeks and just got back home.
>
> The cleartext password dates back to the original Vexim code as Avleen Vig
> recently stated on the Vexim Mailing list:
>
> "Indeed. The storage of the 'clear' field was something one company
> requested way back in 2003 I think. In hindsight it was a *terrible* idea,
> but I was young and naive at the time."
>
> See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
>
> In any event, I agree with you and Avleen that we need to get rid of the
> cleartext password.   Have you achieved any progress using crypt with
> dovecot?  Here is a "Howto" on disabling saving of passwords in clear text
> with Vexim:
>
> http://axel.sjostedt.no/misc/dev/vexim-customizations/
>
> But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless,
> it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in
> a future release of Exim4U so that the passwords are not stored in plain
> text.  Please let me know if you have made any progress here and, if so,
> would you please share your work? I would prefer not to reinvent the wheel
> if it isn't necessary.
>
> Thanks,
>
> Gordon
>
>
>
>
>
>
>
>
>
> On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
>
> Someone please remind me why we authenticate users using cleartext passwords
> with exim4u.
>
> Why are we not using the crypt field? Anyone using crypt, please share
> dovecot-sql.conf, please.
>
>
>
> --
> Best regards,
> Odhiambo WASHINGTON,
> Nairobi,KE
> +254733744121/+254722743223
> "I can't hear you -- I'm using the scrambler."
>
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users
>
>
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users
>



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."

_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Cleartext Passwords

gldickens3
Administrator
Hi Odhiambo,

Thanks for the info!

> Let's drop that field from the DB and any php code that stores it.

I agree.  Currently, the domain admins can reset any user's password.  
Is that adequate for the cases where the users forget?

Thanks,

Gordon




On 07/18/2013 02:17 PM, Odhiambo Washington wrote:

> Hi Godron,
>
> I am using Dovecot (2.2.4) with MySQL.
>
> In my dovecot-sql.conf, I have:
>
> default_pass_scheme = MD5-CRYPT
> password_query = SELECT crypt AS password FROM users,domains WHERE
> users.username = '%u' AND users.enabled = '1' AND users.type='local'
> and domains.enabled='1' and domains.domain_id = users.domain_id
>
> And I have authentication working well.
>
> I therefore have no need for the cleartext field in the DB except that
> I've graciously used it to tell users what their passwd is when they
> forget - which I don't think pleases them though, because they then
> fail to use strong passwords, as they will be 'known':)
>
> Let's drop that field from the DB and any php code that stores it.
>
>
>
> On 18 July 2013 20:55,  <[hidden email]> wrote:
>> Hi Odhiambo,
>>
>> Sorry for not replying back to you sooner.  I've been away on vacation  for
>> several weeks and just got back home.
>>
>> The cleartext password dates back to the original Vexim code as Avleen Vig
>> recently stated on the Vexim Mailing list:
>>
>> "Indeed. The storage of the 'clear' field was something one company
>> requested way back in 2003 I think. In hindsight it was a *terrible* idea,
>> but I was young and naive at the time."
>>
>> See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
>>
>> In any event, I agree with you and Avleen that we need to get rid of the
>> cleartext password.   Have you achieved any progress using crypt with
>> dovecot?  Here is a "Howto" on disabling saving of passwords in clear text
>> with Vexim:
>>
>> http://axel.sjostedt.no/misc/dev/vexim-customizations/
>>
>> But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless,
>> it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in
>> a future release of Exim4U so that the passwords are not stored in plain
>> text.  Please let me know if you have made any progress here and, if so,
>> would you please share your work? I would prefer not to reinvent the wheel
>> if it isn't necessary.
>>
>> Thanks,
>>
>> Gordon
>>
>>
>>
>>
>>
>>
>>
>>
>>
>> On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
>>
>> Someone please remind me why we authenticate users using cleartext passwords
>> with exim4u.
>>
>> Why are we not using the crypt field? Anyone using crypt, please share
>> dovecot-sql.conf, please.
>>
>>
>>
>> --
>> Best regards,
>> Odhiambo WASHINGTON,
>> Nairobi,KE
>> +254733744121/+254722743223
>> "I can't hear you -- I'm using the scrambler."
>>
>>
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> https://exim4u.org/mailman/listinfo/users
>>
>>
>>
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> https://exim4u.org/mailman/listinfo/users
>>
>
>


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Cleartext Passwords

Odhiambo Washington
I believe that should be the way. If someone forgets their password,
change it to something, then ask them to immediately change it
something stronger.
I wish there was a way to enforce strong passwords. I've seen some
users set theirs to 123456 and somehow spammers get that and being to
use your server as open relay!


On 18 July 2013 23:53,  <[hidden email]> wrote:

> Hi Odhiambo,
>
> Thanks for the info!
>
>> Let's drop that field from the DB and any php code that stores it.
>
> I agree.  Currently, the domain admins can reset any user's password.
> Is that adequate for the cases where the users forget?
>
> Thanks,
>
> Gordon
>
>
>
>
> On 07/18/2013 02:17 PM, Odhiambo Washington wrote:
>> Hi Godron,
>>
>> I am using Dovecot (2.2.4) with MySQL.
>>
>> In my dovecot-sql.conf, I have:
>>
>> default_pass_scheme = MD5-CRYPT
>> password_query = SELECT crypt AS password FROM users,domains WHERE
>> users.username = '%u' AND users.enabled = '1' AND users.type='local'
>> and domains.enabled='1' and domains.domain_id = users.domain_id
>>
>> And I have authentication working well.
>>
>> I therefore have no need for the cleartext field in the DB except that
>> I've graciously used it to tell users what their passwd is when they
>> forget - which I don't think pleases them though, because they then
>> fail to use strong passwords, as they will be 'known':)
>>
>> Let's drop that field from the DB and any php code that stores it.
>>
>>
>>
>> On 18 July 2013 20:55,  <[hidden email]> wrote:
>>> Hi Odhiambo,
>>>
>>> Sorry for not replying back to you sooner.  I've been away on vacation  for
>>> several weeks and just got back home.
>>>
>>> The cleartext password dates back to the original Vexim code as Avleen Vig
>>> recently stated on the Vexim Mailing list:
>>>
>>> "Indeed. The storage of the 'clear' field was something one company
>>> requested way back in 2003 I think. In hindsight it was a *terrible* idea,
>>> but I was young and naive at the time."
>>>
>>> See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
>>>
>>> In any event, I agree with you and Avleen that we need to get rid of the
>>> cleartext password.   Have you achieved any progress using crypt with
>>> dovecot?  Here is a "Howto" on disabling saving of passwords in clear text
>>> with Vexim:
>>>
>>> http://axel.sjostedt.no/misc/dev/vexim-customizations/
>>>
>>> But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless,
>>> it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in
>>> a future release of Exim4U so that the passwords are not stored in plain
>>> text.  Please let me know if you have made any progress here and, if so,
>>> would you please share your work? I would prefer not to reinvent the wheel
>>> if it isn't necessary.
>>>
>>> Thanks,
>>>
>>> Gordon
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>>
>>> On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
>>>
>>> Someone please remind me why we authenticate users using cleartext passwords
>>> with exim4u.
>>>
>>> Why are we not using the crypt field? Anyone using crypt, please share
>>> dovecot-sql.conf, please.
>>>
>>>
>>>
>>> --
>>> Best regards,
>>> Odhiambo WASHINGTON,
>>> Nairobi,KE
>>> +254733744121/+254722743223
>>> "I can't hear you -- I'm using the scrambler."
>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> [hidden email]
>>> https://exim4u.org/mailman/listinfo/users
>>>
>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> [hidden email]
>>> https://exim4u.org/mailman/listinfo/users
>>>
>>
>>
>
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."

_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Cleartext Passwords

emkay
Am 18.07.13 23:04, schrieb Odhiambo Washington:
> I believe that should be the way. If someone forgets their password,
> change it to something, then ask them to immediately change it
> something stronger.
> I wish there was a way to enforce strong passwords. I've seen some
> users set theirs to 123456 and somehow spammers get that and being to
> use your server as open relay!

you could always do that with a bit of javascript. at least reasonable
quality passwords.

I hope I'm not giving away too much by pointing to my WIP project @
http://s1.gl/exim4ui
(it's pre-alpha - dont ask :)

If you login here and create/edit an account you see what I mean.
The confirm password box will only show up if there's a reasonable
complex password.

I think we're in the same boat. I'm glad I have the option to look up a
user's pw in the db. Because they tend to forget their password once
they've setup their mail clients and (I'm speaking for myself here) then
it's 'my job' to recover it.
I'm all in favour of dumping plaintext passwords but I think then we
need some kind of password forgotten function.


>
>
> On 18 July 2013 23:53,  <[hidden email]> wrote:
>> Hi Odhiambo,
>>
>> Thanks for the info!
>>
>>> Let's drop that field from the DB and any php code that stores it.
>>
>> I agree.  Currently, the domain admins can reset any user's password.
>> Is that adequate for the cases where the users forget?
>>
>> Thanks,
>>
>> Gordon
>>
>>
>>
>>
>> On 07/18/2013 02:17 PM, Odhiambo Washington wrote:
>>> Hi Godron,
>>>
>>> I am using Dovecot (2.2.4) with MySQL.
>>>
>>> In my dovecot-sql.conf, I have:
>>>
>>> default_pass_scheme = MD5-CRYPT
>>> password_query = SELECT crypt AS password FROM users,domains WHERE
>>> users.username = '%u' AND users.enabled = '1' AND users.type='local'
>>> and domains.enabled='1' and domains.domain_id = users.domain_id
>>>
>>> And I have authentication working well.
>>>
>>> I therefore have no need for the cleartext field in the DB except that
>>> I've graciously used it to tell users what their passwd is when they
>>> forget - which I don't think pleases them though, because they then
>>> fail to use strong passwords, as they will be 'known':)
>>>
>>> Let's drop that field from the DB and any php code that stores it.
>>>
>>>
>>>
>>> On 18 July 2013 20:55,  <[hidden email]> wrote:
>>>> Hi Odhiambo,
>>>>
>>>> Sorry for not replying back to you sooner.  I've been away on vacation  for
>>>> several weeks and just got back home.
>>>>
>>>> The cleartext password dates back to the original Vexim code as Avleen Vig
>>>> recently stated on the Vexim Mailing list:
>>>>
>>>> "Indeed. The storage of the 'clear' field was something one company
>>>> requested way back in 2003 I think. In hindsight it was a *terrible* idea,
>>>> but I was young and naive at the time."
>>>>
>>>> See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
>>>>
>>>> In any event, I agree with you and Avleen that we need to get rid of the
>>>> cleartext password.   Have you achieved any progress using crypt with
>>>> dovecot?  Here is a "Howto" on disabling saving of passwords in clear text
>>>> with Vexim:
>>>>
>>>> http://axel.sjostedt.no/misc/dev/vexim-customizations/
>>>>
>>>> But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless,
>>>> it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in
>>>> a future release of Exim4U so that the passwords are not stored in plain
>>>> text.  Please let me know if you have made any progress here and, if so,
>>>> would you please share your work? I would prefer not to reinvent the wheel
>>>> if it isn't necessary.
>>>>
>>>> Thanks,
>>>>
>>>> Gordon
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>>
>>>> On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
>>>>
>>>> Someone please remind me why we authenticate users using cleartext passwords
>>>> with exim4u.
>>>>
>>>> Why are we not using the crypt field? Anyone using crypt, please share
>>>> dovecot-sql.conf, please.
>>>>
>>>>
>>>>
>>>> --
>>>> Best regards,
>>>> Odhiambo WASHINGTON,
>>>> Nairobi,KE
>>>> +254733744121/+254722743223
>>>> "I can't hear you -- I'm using the scrambler."
>>>>
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> [hidden email]
>>>> https://exim4u.org/mailman/listinfo/users
>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> [hidden email]
>>>> https://exim4u.org/mailman/listinfo/users
>>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> https://exim4u.org/mailman/listinfo/users
>
>
>


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Mika Kreuder And The New Exim4U Web Interface

gldickens3
Administrator
Hello Everybody,

Please take some time to review and test drive Mika Kreuder's new Exim4U
user interface demo at:

http://s1.gl/exim4ui

It's a work in process and we would like to hear comments. Personally, I
have been very impressed with Mika's work and Mika has graciously agreed
to become the Lead Developer for the Exim4U project going forward as he
completes this new user interface.  We hope to have a new Exim4U release
sometimes later this year but it could fall over to early 2014 according
to how ambitious that we get and how much time that we have to devote to
the project.  The new release will include the new UI as well as some
other improvements such as discarding the plain text passwords.  The new
UI will require php 5.3+ so, for some period of time going forward, we
plan to also package the legacy Exim4U interface for installations whose
older php versions do not support the new interface.

We also plan to consolidate our development repositories to GitHub.

I want to especially thank Mika for his contributions to the project!

Gordon





On 07/18/2013 05:24 PM, [hidden email] wrote:

> Am 18.07.13 23:04, schrieb Odhiambo Washington:
>> I believe that should be the way. If someone forgets their password,
>> change it to something, then ask them to immediately change it
>> something stronger.
>> I wish there was a way to enforce strong passwords. I've seen some
>> users set theirs to 123456 and somehow spammers get that and being to
>> use your server as open relay!
> you could always do that with a bit of javascript. at least reasonable
> quality passwords.
>
> I hope I'm not giving away too much by pointing to my WIP project @
> http://s1.gl/exim4ui
> (it's pre-alpha - dont ask :)
>
> If you login here and create/edit an account you see what I mean.
> The confirm password box will only show up if there's a reasonable
> complex password.
>
> I think we're in the same boat. I'm glad I have the option to look up a
> user's pw in the db. Because they tend to forget their password once
> they've setup their mail clients and (I'm speaking for myself here) then
> it's 'my job' to recover it.
> I'm all in favour of dumping plaintext passwords but I think then we
> need some kind of password forgotten function.
>
>
>>
>> On 18 July 2013 23:53,  <[hidden email]> wrote:
>>> Hi Odhiambo,
>>>
>>> Thanks for the info!
>>>
>>>> Let's drop that field from the DB and any php code that stores it.
>>> I agree.  Currently, the domain admins can reset any user's password.
>>> Is that adequate for the cases where the users forget?
>>>
>>> Thanks,
>>>
>>> Gordon
>>>
>>>
>>>
>>>
>>> On 07/18/2013 02:17 PM, Odhiambo Washington wrote:
>>>> Hi Godron,
>>>>
>>>> I am using Dovecot (2.2.4) with MySQL.
>>>>
>>>> In my dovecot-sql.conf, I have:
>>>>
>>>> default_pass_scheme = MD5-CRYPT
>>>> password_query = SELECT crypt AS password FROM users,domains WHERE
>>>> users.username = '%u' AND users.enabled = '1' AND users.type='local'
>>>> and domains.enabled='1' and domains.domain_id = users.domain_id
>>>>
>>>> And I have authentication working well.
>>>>
>>>> I therefore have no need for the cleartext field in the DB except that
>>>> I've graciously used it to tell users what their passwd is when they
>>>> forget - which I don't think pleases them though, because they then
>>>> fail to use strong passwords, as they will be 'known':)
>>>>
>>>> Let's drop that field from the DB and any php code that stores it.
>>>>
>>>>
>>>>
>>>> On 18 July 2013 20:55,  <[hidden email]> wrote:
>>>>> Hi Odhiambo,
>>>>>
>>>>> Sorry for not replying back to you sooner.  I've been away on vacation  for
>>>>> several weeks and just got back home.
>>>>>
>>>>> The cleartext password dates back to the original Vexim code as Avleen Vig
>>>>> recently stated on the Vexim Mailing list:
>>>>>
>>>>> "Indeed. The storage of the 'clear' field was something one company
>>>>> requested way back in 2003 I think. In hindsight it was a *terrible* idea,
>>>>> but I was young and naive at the time."
>>>>>
>>>>> See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
>>>>>
>>>>> In any event, I agree with you and Avleen that we need to get rid of the
>>>>> cleartext password.   Have you achieved any progress using crypt with
>>>>> dovecot?  Here is a "Howto" on disabling saving of passwords in clear text
>>>>> with Vexim:
>>>>>
>>>>> http://axel.sjostedt.no/misc/dev/vexim-customizations/
>>>>>
>>>>> But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless,
>>>>> it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in
>>>>> a future release of Exim4U so that the passwords are not stored in plain
>>>>> text.  Please let me know if you have made any progress here and, if so,
>>>>> would you please share your work? I would prefer not to reinvent the wheel
>>>>> if it isn't necessary.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Gordon
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
>>>>>
>>>>> Someone please remind me why we authenticate users using cleartext passwords
>>>>> with exim4u.
>>>>>
>>>>> Why are we not using the crypt field? Anyone using crypt, please share
>>>>> dovecot-sql.conf, please.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best regards,
>>>>> Odhiambo WASHINGTON,
>>>>> Nairobi,KE
>>>>> +254733744121/+254722743223
>>>>> "I can't hear you -- I'm using the scrambler."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> [hidden email]
>>>>> https://exim4u.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> [hidden email]
>>>>> https://exim4u.org/mailman/listinfo/users
>>>>>
>>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> [hidden email]
>>> https://exim4u.org/mailman/listinfo/users
>>
>>
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Cleartext Passwords

Odhiambo Washington
In reply to this post by emkay
I thought about the password recovery option when I wrote the mail. I
was thinking along the lines of Wordpress - they have a password
recovery function, but that sends you a link to an e-mail address, and
I thought asking users to give their personal e-mail addresses for
recovery purposes is not something you wanna do. Not sure people think
like me.
Something like a security question and then the password is revealed
is also too much to handle.
Well, I hope there are other ideas out there...

On 19 July 2013 00:24,  <[hidden email]> wrote:

> Am 18.07.13 23:04, schrieb Odhiambo Washington:
>> I believe that should be the way. If someone forgets their password,
>> change it to something, then ask them to immediately change it
>> something stronger.
>> I wish there was a way to enforce strong passwords. I've seen some
>> users set theirs to 123456 and somehow spammers get that and being to
>> use your server as open relay!
>
> you could always do that with a bit of javascript. at least reasonable
> quality passwords.
>
> I hope I'm not giving away too much by pointing to my WIP project @
> http://s1.gl/exim4ui
> (it's pre-alpha - dont ask :)
>
> If you login here and create/edit an account you see what I mean.
> The confirm password box will only show up if there's a reasonable
> complex password.
>
> I think we're in the same boat. I'm glad I have the option to look up a
> user's pw in the db. Because they tend to forget their password once
> they've setup their mail clients and (I'm speaking for myself here) then
> it's 'my job' to recover it.
> I'm all in favour of dumping plaintext passwords but I think then we
> need some kind of password forgotten function.
>
>
>>
>>
>> On 18 July 2013 23:53,  <[hidden email]> wrote:
>>> Hi Odhiambo,
>>>
>>> Thanks for the info!
>>>
>>>> Let's drop that field from the DB and any php code that stores it.
>>>
>>> I agree.  Currently, the domain admins can reset any user's password.
>>> Is that adequate for the cases where the users forget?
>>>
>>> Thanks,
>>>
>>> Gordon
>>>
>>>
>>>
>>>
>>> On 07/18/2013 02:17 PM, Odhiambo Washington wrote:
>>>> Hi Godron,
>>>>
>>>> I am using Dovecot (2.2.4) with MySQL.
>>>>
>>>> In my dovecot-sql.conf, I have:
>>>>
>>>> default_pass_scheme = MD5-CRYPT
>>>> password_query = SELECT crypt AS password FROM users,domains WHERE
>>>> users.username = '%u' AND users.enabled = '1' AND users.type='local'
>>>> and domains.enabled='1' and domains.domain_id = users.domain_id
>>>>
>>>> And I have authentication working well.
>>>>
>>>> I therefore have no need for the cleartext field in the DB except that
>>>> I've graciously used it to tell users what their passwd is when they
>>>> forget - which I don't think pleases them though, because they then
>>>> fail to use strong passwords, as they will be 'known':)
>>>>
>>>> Let's drop that field from the DB and any php code that stores it.
>>>>
>>>>
>>>>
>>>> On 18 July 2013 20:55,  <[hidden email]> wrote:
>>>>> Hi Odhiambo,
>>>>>
>>>>> Sorry for not replying back to you sooner.  I've been away on vacation  for
>>>>> several weeks and just got back home.
>>>>>
>>>>> The cleartext password dates back to the original Vexim code as Avleen Vig
>>>>> recently stated on the Vexim Mailing list:
>>>>>
>>>>> "Indeed. The storage of the 'clear' field was something one company
>>>>> requested way back in 2003 I think. In hindsight it was a *terrible* idea,
>>>>> but I was young and naive at the time."
>>>>>
>>>>> See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
>>>>>
>>>>> In any event, I agree with you and Avleen that we need to get rid of the
>>>>> cleartext password.   Have you achieved any progress using crypt with
>>>>> dovecot?  Here is a "Howto" on disabling saving of passwords in clear text
>>>>> with Vexim:
>>>>>
>>>>> http://axel.sjostedt.no/misc/dev/vexim-customizations/
>>>>>
>>>>> But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless,
>>>>> it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in
>>>>> a future release of Exim4U so that the passwords are not stored in plain
>>>>> text.  Please let me know if you have made any progress here and, if so,
>>>>> would you please share your work? I would prefer not to reinvent the wheel
>>>>> if it isn't necessary.
>>>>>
>>>>> Thanks,
>>>>>
>>>>> Gordon
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>>
>>>>> On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
>>>>>
>>>>> Someone please remind me why we authenticate users using cleartext passwords
>>>>> with exim4u.
>>>>>
>>>>> Why are we not using the crypt field? Anyone using crypt, please share
>>>>> dovecot-sql.conf, please.
>>>>>
>>>>>
>>>>>
>>>>> --
>>>>> Best regards,
>>>>> Odhiambo WASHINGTON,
>>>>> Nairobi,KE
>>>>> +254733744121/+254722743223
>>>>> "I can't hear you -- I'm using the scrambler."
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> [hidden email]
>>>>> https://exim4u.org/mailman/listinfo/users
>>>>>
>>>>>
>>>>>
>>>>> _______________________________________________
>>>>> users mailing list
>>>>> [hidden email]
>>>>> https://exim4u.org/mailman/listinfo/users
>>>>>
>>>>
>>>>
>>>
>>>
>>> _______________________________________________
>>> users mailing list
>>> [hidden email]
>>> https://exim4u.org/mailman/listinfo/users
>>
>>
>>
>
>
> _______________________________________________
> users mailing list
> [hidden email]
> https://exim4u.org/mailman/listinfo/users



--
Best regards,
Odhiambo WASHINGTON,
Nairobi,KE
+254733744121/+254722743223
"I can't hear you -- I'm using the scrambler."

_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users
Reply | Threaded
Open this post in threaded view
|

Re: Cleartext Passwords

emkay
 > I thought about the password recovery option when I wrote the mail. I
> was thinking along the lines of Wordpress - they have a password
> recovery function, but that sends you a link to an e-mail address, and
> I thought asking users to give their personal e-mail addresses for
> recovery purposes is not something you wanna do. Not sure people think
> like me.

I agree it might only be of limited use to send out a recovery link to
the address in question because you might not be able to actually
receive the mail. But at least it covers those who still can receive
mail and just need a password to setup a new mail client.
I'm open to other suggestions but I think this is the most common
procedure.


> Something like a security question and then the password is revealed
> is also too much to handle.
> Well, I hope there are other ideas out there...
>
> On 19 July 2013 00:24,  <[hidden email]> wrote:
>> Am 18.07.13 23:04, schrieb Odhiambo Washington:
>>> I believe that should be the way. If someone forgets their password,
>>> change it to something, then ask them to immediately change it
>>> something stronger.
>>> I wish there was a way to enforce strong passwords. I've seen some
>>> users set theirs to 123456 and somehow spammers get that and being to
>>> use your server as open relay!
>>
>> you could always do that with a bit of javascript. at least reasonable
>> quality passwords.
>>
>> I hope I'm not giving away too much by pointing to my WIP project @
>> http://s1.gl/exim4ui
>> (it's pre-alpha - dont ask :)
>>
>> If you login here and create/edit an account you see what I mean.
>> The confirm password box will only show up if there's a reasonable
>> complex password.
>>
>> I think we're in the same boat. I'm glad I have the option to look up a
>> user's pw in the db. Because they tend to forget their password once
>> they've setup their mail clients and (I'm speaking for myself here) then
>> it's 'my job' to recover it.
>> I'm all in favour of dumping plaintext passwords but I think then we
>> need some kind of password forgotten function.
>>
>>
>>>
>>>
>>> On 18 July 2013 23:53,  <[hidden email]> wrote:
>>>> Hi Odhiambo,
>>>>
>>>> Thanks for the info!
>>>>
>>>>> Let's drop that field from the DB and any php code that stores it.
>>>>
>>>> I agree.  Currently, the domain admins can reset any user's password.
>>>> Is that adequate for the cases where the users forget?
>>>>
>>>> Thanks,
>>>>
>>>> Gordon
>>>>
>>>>
>>>>
>>>>
>>>> On 07/18/2013 02:17 PM, Odhiambo Washington wrote:
>>>>> Hi Godron,
>>>>>
>>>>> I am using Dovecot (2.2.4) with MySQL.
>>>>>
>>>>> In my dovecot-sql.conf, I have:
>>>>>
>>>>> default_pass_scheme = MD5-CRYPT
>>>>> password_query = SELECT crypt AS password FROM users,domains WHERE
>>>>> users.username = '%u' AND users.enabled = '1' AND users.type='local'
>>>>> and domains.enabled='1' and domains.domain_id = users.domain_id
>>>>>
>>>>> And I have authentication working well.
>>>>>
>>>>> I therefore have no need for the cleartext field in the DB except that
>>>>> I've graciously used it to tell users what their passwd is when they
>>>>> forget - which I don't think pleases them though, because they then
>>>>> fail to use strong passwords, as they will be 'known':)
>>>>>
>>>>> Let's drop that field from the DB and any php code that stores it.
>>>>>
>>>>>
>>>>>
>>>>> On 18 July 2013 20:55,  <[hidden email]> wrote:
>>>>>> Hi Odhiambo,
>>>>>>
>>>>>> Sorry for not replying back to you sooner.  I've been away on vacation  for
>>>>>> several weeks and just got back home.
>>>>>>
>>>>>> The cleartext password dates back to the original Vexim code as Avleen Vig
>>>>>> recently stated on the Vexim Mailing list:
>>>>>>
>>>>>> "Indeed. The storage of the 'clear' field was something one company
>>>>>> requested way back in 2003 I think. In hindsight it was a *terrible* idea,
>>>>>> but I was young and naive at the time."
>>>>>>
>>>>>> See: http://silverwraith.com/pipermail/vexim/2013-July/000691.html
>>>>>>
>>>>>> In any event, I agree with you and Avleen that we need to get rid of the
>>>>>> cleartext password.   Have you achieved any progress using crypt with
>>>>>> dovecot?  Here is a "Howto" on disabling saving of passwords in clear text
>>>>>> with Vexim:
>>>>>>
>>>>>> http://axel.sjostedt.no/misc/dev/vexim-customizations/
>>>>>>
>>>>>> But the referenced IMAP client is Courier instead of Dovecot.  Nevertheless,
>>>>>> it shouldn't be that hard with Dovecot.  FWIW, I intend to fix this issue in
>>>>>> a future release of Exim4U so that the passwords are not stored in plain
>>>>>> text.  Please let me know if you have made any progress here and, if so,
>>>>>> would you please share your work? I would prefer not to reinvent the wheel
>>>>>> if it isn't necessary.
>>>>>>
>>>>>> Thanks,
>>>>>>
>>>>>> Gordon
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>>
>>>>>> On 06/26/2013 11:31 AM, Odhiambo Washington wrote:
>>>>>>
>>>>>> Someone please remind me why we authenticate users using cleartext passwords
>>>>>> with exim4u.
>>>>>>
>>>>>> Why are we not using the crypt field? Anyone using crypt, please share
>>>>>> dovecot-sql.conf, please.
>>>>>>
>>>>>>
>>>>>>
>>>>>> --
>>>>>> Best regards,
>>>>>> Odhiambo WASHINGTON,
>>>>>> Nairobi,KE
>>>>>> +254733744121/+254722743223
>>>>>> "I can't hear you -- I'm using the scrambler."
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> [hidden email]
>>>>>> https://exim4u.org/mailman/listinfo/users
>>>>>>
>>>>>>
>>>>>>
>>>>>> _______________________________________________
>>>>>> users mailing list
>>>>>> [hidden email]
>>>>>> https://exim4u.org/mailman/listinfo/users
>>>>>>
>>>>>
>>>>>
>>>>
>>>>
>>>> _______________________________________________
>>>> users mailing list
>>>> [hidden email]
>>>> https://exim4u.org/mailman/listinfo/users
>>>
>>>
>>>
>>
>>
>> _______________________________________________
>> users mailing list
>> [hidden email]
>> https://exim4u.org/mailman/listinfo/users
>
>
>


_______________________________________________
users mailing list
[hidden email]
https://exim4u.org/mailman/listinfo/users