Password in control panel gone


#1

I don’t know if it’s the upgrade but when I access user and mail it use to show the user’s password for the email or user but now it’s gone. I can reset it but I can’t look up the password. Is this a change or a glitch?


#2

I believe it is a change that was made, probably due to the recent control panel exploit that was found and has been fixed. See this post on Dreamhost Status.


Miracle Directory | Get Around The Net


#3

It is an improvement (change) to provide increased security in the DH environment. :slight_smile:

–rlparker


#4

Yes, the previous system really, really bothered me. Passwords should not be displayable.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options


#5

So there’s no way to lookup email passwords now…you can only reset it?

If someone breaks into an account they can just reset the password.


#6

That is correct.

This is very true, as it has always been. :wink:

–rlparker


#7

But at least you’ll know you’ve been compromised when your old password no longer works.

-Scott


#8

Yes, but this makes more work for them and takes more time, which increases the chances they’ll be noticed before they can do much (if any) damage. Also as sdayman commented, you’ll notice a lot faster when your password stops working than if they’re just using the same password as you. :slight_smile:

Overall this is a good change, I’m glad to see them do it.


#9

This was a change I didn’t like as well but it is for the best. So I know how you feel :slight_smile:

Save [color=#CC0000]$97[/color] on all plans by using promo code: SRVR97. More Here


#10

I too have mixed feelings about this. In the past, I’ve had occasions where I’ve had to retrieve the passwords for my children’s email accounts for them (one of them uses web-mail exclusively and tends to forgets things :wink: ). I guess I’ll just reset the password when this happens in the future.

Overall though, if the change results in better security then obviously I am all for it. :slight_smile:

Mark


Web Hosting Reviews | DreamHost Promo Code


#11

Just a FYI. It’s generally bad practice to allow the retrieval of passwords. This is because someone gaining access to your account through some other means now has the ability to find out your password. With this password, they can change your password. There’s also some chance that they can use this password to gain access to other systems.

I think about my own situation. I’ve only every used sftp and ssh, not ftp, yet somehow someone has gotten my ftp password and used it to ftp in to my account.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options


#12

How is your FTP password different from your SSH password? I thought they used the same passwd entry.

-Scott


#13

No, it’s the same, that’s my point - ftp and telnet passwords can be sniffed because they’re transmitted in the clear. If you use sftp and ssh, short of keylogging, the only way to get the password is to steal it from the DH control panel or database.

If the password is not stored in a retrievable form, it can’t be stolen.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options


#14

I absolutely agree. Though it was convenient to be able to view a forgotten password through the panel, and I’ve done it before, I was never quite comfortable with having it displayed onscreen like that. I’d rather have to reset to a new password altogether than have the security risk. (And if the old password was forgotten, then setting and needing to remember a new one isn’t really more work than re-learning the forgotten password :stuck_out_tongue: )

~Daisy


#15

Well, the current passwords may no longer show up in the panel, but…

If you change the password, it is still echoed back on the following screen. A small risk of “shoulder surfing” and screen scraping still exists.

I would prefer a simple “password successfully changed” and nothing more.

I would also prefer storing md5 hashes instead of plain-text passwords. It can’t be stolen if it isn’t on the system.

Regards,
Rudy


#16

Rudy, I agree 110%.

Free unique IP and $67 off with promo code [color=#CC0000]FLENSFREEIP67[/color] or use [color=#CC0000]FLENS97[/color] for $97 off. Click here for more options