The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Password retrieval

Discussion in 'General Discussion' started by rmackay, Jun 20, 2007.

  1. rmackay

    rmackay Well-Known Member

    Joined:
    Nov 26, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    Is there an easy way to be able to retrieve a customer password from the WHM interface? I used to have a plesk server with a utility from 4psa that would grab all sorts of nice information for you, including retrieval of customer passwords, etc. That allows you to provide the customer with that info, should they request it. The only thing I can see in WHM is the ability to change the password.
     
  2. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    I do not think it is possible to retrieve passwords at all, MD5 encryption
    I would not want this to be possible anyway, if you ever have a server hacked, last thing you need is everyones passwords released
     
  3. chirpy

    chirpy Well-Known Member

    Joined:
    Jun 15, 2002
    Messages:
    13,475
    Likes Received:
    20
    Trophy Points:
    38
    Location:
    Go on, have a guess
    It isn't possible, they're one-way encrypted. The only way you could get it would be to brute-force the shadow file and that is no guarantee and can take hours/days/months/years.
     
  4. rmackay

    rmackay Well-Known Member

    Joined:
    Nov 26, 2002
    Messages:
    75
    Likes Received:
    0
    Trophy Points:
    6
    I guess that shows a little bit of a security hole in plesk then. 4psa notifications can retrieve every password stored that is used by plesk. if someone can admin login into your psa interface your screwed.
     
  5. RandyO

    RandyO Well-Known Member

    Joined:
    Jun 17, 2003
    Messages:
    173
    Likes Received:
    0
    Trophy Points:
    16
    Exactly right, MD5 is a one way hash and can not be decrypted.

    I have never used Plesk but I have a tough time with the fact that the password files are accessible. As a Windows Network Administrator, I would be not very happy about it. I do not want/need/desire access to user passwords. Accountability to network or account access is a real "CYA" thing.
     
Loading...

Share This Page