The Community Forums

Interact with an entire community of cPanel & WHM users!
  1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

Retrieving passwords

Discussion in 'General Discussion' started by imagic, Mar 7, 2003.

  1. imagic

    imagic Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    Is there a way to retrieve a client's lost password through the whm or through ssh?

    Thanks,
    Lisa
     
  2. PWSowner

    PWSowner Well-Known Member

    Joined:
    Nov 10, 2001
    Messages:
    2,948
    Likes Received:
    3
    Trophy Points:
    38
    Location:
    ON, Canada
    Not that I know of. Normally you would just change their password through WHM.
     
  3. gic

    gic Well-Known Member

    Joined:
    Jun 28, 2002
    Messages:
    69
    Likes Received:
    0
    Trophy Points:
    6
    No. there is no way because it could be a security risk. It encodes the password. Easiest thing is to change it via WHM and send a new one to them.
     
  4. SageBrian

    SageBrian Well-Known Member

    Joined:
    Jun 1, 2002
    Messages:
    415
    Likes Received:
    2
    Trophy Points:
    18
    Location:
    NY/CT (US)
    cPanel Access Level:
    Root Administrator
    From a security standpoint, no one, even admins, should know anyone's password. ever.

    An admin doesn't need it. They can reset it.

    Luckily, a lot of programmers are finally realizing this. But, there are still others that think it's ok to view passwords.

    Some bulletin board software allows admins to browse passwords. Something to keep in mind next time you register on a site. Make sure you use a different password at each site.

    Software like vBulletin, which is what cpanel is now using here, has passwords encrypted, and there is no way of knowing passwords. One of the reasons I love vbulletin. And, cPanel seems to have the same respect for passwords.

    If you need to know a users password, for whatever odd reason, ask them for it. If you don't want them to know, then why do you need to know it? :confused:
     
  5. tedderz

    tedderz Member

    Joined:
    Mar 11, 2003
    Messages:
    8
    Likes Received:
    0
    Trophy Points:
    1
    Actually some software you need to be able to login to the clients account to make changes, or updates, or test out problems they are experiencing. Asking for their password can take time that sometimes you don't have. That's the benefit of admins being able to see passwords.
     
  6. rbmatt

    rbmatt Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Some software like cpanel has "backdoors" for admins. In cpanel, you can login to anyone's panel with the root password or the reseller's password.
     
  7. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    Nice tip! I have roughly 10 of my own domains on my server and find it very hard to keep track of all the passwords. This makes is much easier.
     
  8. dianaward

    dianaward Well-Known Member

    Joined:
    Dec 9, 2002
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Twitter:
    There are some limitations when using the root password.

    The one's I've run into so far is that I can't access their phpMyAdmin to check their databases when restoring or moving them, and I can't get into their webmail if they have trouble with it. But then of course, as has been said, you can change the password or ask them for it.
     
  9. imagic

    imagic Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    rbmatt,

    :D Thank you, thank you, thank you!!! You're a lifesaver.

    As tedderz points out, there are times when we need to have access to a client's control panel.

    It doesn't make sense to me that in order to help a client you have to first ask them what their password is. Isn't all the emailing of passwords back and forth a bigger security risk than letting the admins of the hosting service itself have access to the passwords?

    And the idea that you can just reset the password is ludicrous. This resets the control panel password, the ftp password and the main email account password. If there's multiple people using these services, you would have to alert all of them that the password had changed and they would have to make changes in their client software (which from our experience is enough of a feat for them to accomplish when they first set up their hosting account, let alone have to keep re-doing it).

    Also, if as admins we can't be trusted with clients' passwords, then why do we have the root password to the server? Surely we can cause a lot more havoc at root than just in a client's control panel.

    Again, thank you rbmatt!
     
  10. rbmatt

    rbmatt Well-Known Member

    Joined:
    Oct 21, 2002
    Messages:
    212
    Likes Received:
    0
    Trophy Points:
    16
    Glad to help,
    I agree that it is insecure to email passwords back and forth. If you have root access, you should be able to login to anything anyway.
     
  11. dianaward

    dianaward Well-Known Member

    Joined:
    Dec 9, 2002
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Twitter:
    As I said, I can get in to upload the database again, but

    I can't then log into the phpmyadmin to check it. Seems strange to me. I have to agree with imagic. I could download all their files, including their email and databases, if I wanted to. They have just trusted me with all the data of their online businesses, in many cases (and I am trustworthy with it, I might add) so what am I being kept from by not having their passwords? Their dog's name?
     
  12. xsenses

    xsenses Well-Known Member

    Joined:
    Aug 29, 2002
    Messages:
    233
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    Huntington Beach, Ca
    Re: As I said, I can get in to upload the database again, but

    I am not sure if I am missing something, but the server/WHM does email all accounts created including password to the contact under "edit setup".
    It looks like this:
    +===================================+
    | New Account Info |
    +===================================+
    | Domain: xxxxxxxx.xxxx
    | Ip: xx.xxx.xx.xx (n)
    | HasCgi: y
    | UserName: xxxxxxx
    | PassWord: xxxxxxx
    | CpanelMod: default
    | HomeRoot: /home
    | Quota: 500 Meg
    | NameServer: xxx.xxxxxxxxxx.com.
    +===================================+
    Account was setup by: xxxx
     
  13. imagic

    imagic Well-Known Member

    Joined:
    Jan 16, 2003
    Messages:
    156
    Likes Received:
    0
    Trophy Points:
    16
    Yes, xsenses, you are right. However, if the client changes their password in the Control Panel, then you will have no record of it.
     
  14. Elena

    Elena Well-Known Member

    Joined:
    Aug 10, 2001
    Messages:
    109
    Likes Received:
    0
    Trophy Points:
    16
    Location:
    California
    Usually most checking can be done through a clients control panel using the root password. However other times there is the need for the password to check on FTP, mail issues and any third party software cpanel uses. If this is the case I always let my clients know before I start any type of maintenance on their account (which includes just checking things out) that their password will be temporarily reset and to respond back to let me know if they require some extra time to let anyone know who has access on the account that there will be some maintenance done for a breif period of time.

    They are free to ask for the temporary password while I'm working, however I usually don't recommend that since if they make changes while I'm trying to work on something, it can end up throwing me off and my work gets alot harder. Once the job is complete I usually inform the client of anything that was found or if the issue was resolved. I then ask them to respond back so that I can send them the temporary password. Once I get the okay I e-mail them the temp password that was used for the maintenance and ask them to quickly modify it for their own privacy (if done correctly the client should be ready to get the password and change it ASAP.. leaving little time for someone to sniff the password through e-mail and cause any harm, similar to how it goes when you send them their password for the first time). If you are really paranoid about password security you might even tell the client to expect a phone call for the new password. :p

    It's more steps than most people take I guess (probably harder to accomplish if you are a much larger host or you just don't have the time to do the job properly), but has worked for me in the past. Some clients aren't as quick to respond.. but those clients are usually not the ones who are rushing you for an immediate resolution to whatever their problem might be. Also you'll find that some clients are still stuck on not using such good password rules, such as a different password for every service they might use online... so asking for their password can sometimes result in an angry client not wanting to divulge that information.
    This is actually done for the security of your clients. If ever, and I hope you never have this happen, your server is compromised... if the passwords are not encrypted, all your account passwords have now been directly given to whomever has broken into your system (if some passwords are not unique.. then that client has alot more to worry about than just their website and will probably express their fear with threats directed against your company). Not only will you be facing angry clients, but also cases of privacy issues, etc. It is NEVER safe to have access to passwords.. EVER!

    Password issues are a huge thing.. I've had clients that use the same password for everything. I've found clients using their account password to connect to mySQL and having that password directly visible in a php file (which reminds me to send a note to cpanel asking if there is a way to prevent that).. just very scary things you find out by working with different types of people. There is no sure way to keep your clients safe because they will make their own mistakes.. but at least you are not liable for those mistakes, you are however liable if the server you run is not encrypting the passwords for services such as the control panel, ftp and mail and you have a breach in your servers security. :eek:

    I should probably also say that if youre thinking.. "well the server has already been compromised.. that person who broke in can now change the passwords, change/remove files/accounts/etc." Well... the only way to safegaurd yourself from this is to have backups done and to have those backups stored off network in cases where you will need to unplug the current server, setup an entirely new server and restore from those backups. There are still a zillion other things that you have to do to ensure server security.. hopefully you are doing all of these things and more already.
    In most cases you shouldn't even need the password (and you probably shouldn't even ask for the password but reset it).. what I explained above is probably done in less than 1% cases where there is a problem with an account. You should have enough knowledge on how your system works or have avenues (such as these forums) to find out what would be the cause to the majority of issues experienced. You should be familiar with the files on your server and where to look when problems occur.

    Oh boy.. that was a HUGE post.. but anyhow, you might not be paranoid yet.. but just think of all these problems with hacking/cracking/etc. that are circulating the Internet just now. Be prepared for anything and always make sure your butt is covered in cases of emergency!

    That's more than my 2 cents heh but I hope it changes your minds on wanting these unencrypted passwords on your servers. It's also late which leads me to doing more rants in forums than I probably should.. haha :D

    Looking through even more stuff, I stumble on to a thread about a cpanel chat room.. it seems like you might be new to the cpanel world and might be a faster place to get your questions answered. Check this post for more details (I just discovered it myself so there I am in the cpanel chat all n00b and no one is talking! probably beause it's 1:35am PST heh) http://forums.cpanel.net/showthread.php?s=&threadid=4522
     
    #14 Elena, Apr 12, 2003
    Last edited: Apr 12, 2003
  15. dianaward

    dianaward Well-Known Member

    Joined:
    Dec 9, 2002
    Messages:
    99
    Likes Received:
    0
    Trophy Points:
    6
    Location:
    USA
    cPanel Access Level:
    Root Administrator
    Twitter:
    Your points are all interesting, except

    that 1. If the hacker is in, they have everything already, and I'm sure have better places to mess around than trying to figure out what else a particular site owner might have used the password for. And,
    2. Sending the password, even a temporary one, through email seems to me to be more dangerous than even unencrypted passwords on a server. (Though of course they get their original passwords via email in the first place.) Plus,
    3. If a password can be encrypted, it can be unencrypted. Why can't server owners have access to the encrypted passwords somehow, even if only from root?

    But, this is certainly not a huge issue, so I'm finished with it.
     
Loading...

Share This Page