Page 1 of 3 123 LastLast
Results 1 to 10 of 23

Thread: Retrieve user passwords without resetting them

  1. #1
    rabbtux is offline Starter Member
    Join Date
    Mar 2008
    Posts
    2
    Rep Power
    7

    Default Retrieve user passwords without resetting them

    All,

    Looked around first, so I hope this isn't a dumb question. My mail users are often less sophisticated, and expect me to give them the current password. If I have to change it to know it, it creates many support headaches for instructing folks on email client setup again, if they are on the road with webmail.

    Certainly there must be some way for an administrator to tell a user what their current password is?

    Thanks, rabbtux

  2. #2
    dijichi2 is offline OpenSource Builder & Moderator
    Join Date
    Oct 2005
    Posts
    1,176
    Rep Power
    11

    Default

    passwords in unix, or ldap are almost always stored in non-reversible encrypted format. it is fundamental to security that you cannot retrieve passwords from a system.

    consider to reducate your users, and your helpdesk. discussing passwords, whether in person, or email or over the phone represents a failure of security policy. passwords should never, ever, be disclosed, even to IT support.

  3. #3
    danielfarrelly is offline Special Member
    Join Date
    Apr 2007
    Location
    Los Gatos, CA
    Posts
    138
    Rep Power
    8

    Default

    Quote Originally Posted by dijichi2 View Post
    passwords in unix, or ldap are almost always stored in non-reversible encrypted format. it is fundamental to security that you cannot retrieve passwords from a system.

    consider to reducate your users, and your helpdesk. discussing passwords, whether in person, or email or over the phone represents a failure of security policy. passwords should never, ever, be disclosed, even to IT support.
    amen, brother

  4. #4
    rabbtux is offline Starter Member
    Join Date
    Mar 2008
    Posts
    2
    Rep Power
    7

    Default

    I'm well aware of the security implications, however, my busness is made up of a bunch of smaller customers. "Re-education" would have a business cost in explaining why I can't do what I used to to provide support for customers.

    Just imagine, someone calls because they're traveling and need to get into their zimbra webmail. Great, I change it and they're in. Now a week later I get a call that 'my email doesn't work' and have to walk them through the password change on any 1 of the 4 or 5 email clients my customers use.

    This is a critical issue for me to solve before replacing my qmail server. Everything else is ready to go.

  5. #5
    uxbod's Avatar
    uxbod is offline Moderator
    Join Date
    Nov 2006
    Location
    UK
    Posts
    8,017
    Rep Power
    24

    Default

    Welcome to support

    Why not just keep setting it to password123, that why they will never forgot.

    As already said re-education is the way to go.

    I have just migrated a large ERP solution, 900 users, and had to reset all their passwords as I changed the complexity of the password. We have had a huge volume of calls saying how do I do it, with just three staff. They do learn, it is how you explain it.

  6. #6
    LMStone's Avatar
    LMStone is offline Moderator
    Join Date
    Sep 2006
    Location
    477 Congress Street | Portland, ME 04101
    Posts
    1,367
    Rep Power
    10

    Default

    Quote Originally Posted by uxbod View Post
    Welcome to support

    Why not just keep setting it to password123, that why they will never forgot.

    As already said re-education is the way to go.

    I have just migrated a large ERP solution, 900 users, and had to reset all their passwords as I changed the complexity of the password. We have had a huge volume of calls saying how do I do it, with just three staff. They do learn, it is how you explain it.
    I agree totally that re-education is the way to go, but you can also set a standard, initial and easy-to-remember complex password and force the user to change the password on first login via the Admin UI.

    One reason we don't use passwords like password123 anymore is because we are seeing attempts from hackers to login to the Zimbra web interface.

    One such complex password we used to use (please don't use it!) is 2mUch!cE, which translates as "Too much ice!" which, in Maine, is pretty easy to remember. :-)

    Car and Driver magazine in the '70s had a picture of a Ferrari vanity license plate of IXLR8; same idea...

    A password that is easy to remember but technically "complex" to use as an initial must-be-changed password is a pretty safe way to go IMHO.

    Hope that helps,
    Mark

  7. #7
    EdMartin is offline Senior Member
    Join Date
    Jun 2007
    Location
    Plantation, FL
    Posts
    59
    Rep Power
    8

    Default

    It's not a new idea, but we impose complex passwords on all our users together with mnemonic phrases that (usually) enhance their ability to remember. For example, the phrase

    For Pete's sake! Why does this password have to be so complicated?

    corresponds to the password

    FPs!Wdtph2Bsc?

    With a small number of users, it's kind of fun to come up with the phrases. Starting from scratch with a thousand or more would be a real chore though!

  8. #8
    bdial's Avatar
    bdial is offline Moderator
    Join Date
    Jul 2007
    Location
    Baltimore
    Posts
    1,649
    Rep Power
    11

    Default

    I don't know if password encryption is done by zimbra or by openldap. If it's the latter, I know you can set openldap not to encrypt passwords and to store them in plain text. Then you could just do a ldap query to retrieve the password.

    This of course would not be a best practice. However, if you're using a multi server setup where the zimbra ldap server is internal only maybe even behind another firewall then it would be significantly safe.

  9. #9
    p24t is offline Moderator
    Join Date
    Mar 2007
    Location
    Austin
    Posts
    441
    Rep Power
    8

    Default

    Here, we assign our users passwords. They don't always like it, but I always have their password, and I'm certain that they meet the password security guidelines. It's in our policy, so it makes SOX happy enough.

  10. #10
    bradb21's Avatar
    bradb21 is offline Advanced Member
    Join Date
    Aug 2007
    Location
    Chicago Area, USA
    Posts
    189
    Rep Power
    7

    Default

    Quote Originally Posted by p24t View Post
    Here, we assign our users passwords. They don't always like it, but I always have their password, and I'm certain that they meet the password security guidelines. It's in our policy, so it makes SOX happy enough.
    One person that knows every persons password hardly seems SOX compliant to me???
    Release 6.0.2_GA_1912.UBUNTU8_64 UBUNTU8_64 NETWORK edition + Mobile Option
    Activesync with Moto Q9C, HTC Touch Pro, Palm Pro, & Palm Pre

Page 1 of 3 123 LastLast

Thread Information

Users Browsing this Thread

There are currently 1 users browsing this thread. (0 members and 1 guests)

Similar Threads

  1. Replies: 21
    Last Post: 02-04-2010, 10:06 AM
  2. DNS Questions and Trouble Installing
    By smurraysb in forum Installation
    Replies: 22
    Last Post: 03-14-2008, 03:27 PM
  3. Post instsallation problems
    By Assaf in forum Installation
    Replies: 14
    Last Post: 01-29-2007, 11:38 AM
  4. Services stopped working
    By lilwong in forum Administrators
    Replies: 4
    Last Post: 08-15-2006, 09:19 AM
  5. Fedora Core 3, Clean Install - Not working!
    By pcjackson in forum Installation
    Replies: 17
    Last Post: 03-05-2006, 07:38 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •