Retrieve user passwords without resetting them

[rabbtux]

All,

Looked around first, so I hope this isn't a dumb question. My mail users are often less sophisticated, and expect me to give them the current password. If I have to change it to know it, it creates many support headaches for instructing folks on email client setup again, if they are on the road with webmail.

Certainly there must be some way for an administrator to tell a user what their current password is?

Thanks, rabbtux

[dijichi2]

passwords in unix, or ldap are almost always stored in non-reversible encrypted format. it is fundamental to security that you cannot retrieve passwords from a system.

consider to reducate your users, and your helpdesk. discussing passwords, whether in person, or email or over the phone represents a failure of security policy. passwords should never, ever, be disclosed, even to IT support.

[danielfarrelly]

Quote:

Originally Posted by dijichi2

passwords in unix, or ldap are almost always stored in non-reversible encrypted format. it is fundamental to security that you cannot retrieve passwords from a system.

consider to reducate your users, and your helpdesk. discussing passwords, whether in person, or email or over the phone represents a failure of security policy. passwords should never, ever, be disclosed, even to IT support.

amen, brother

[rabbtux]

I'm well aware of the security implications, however, my busness is made up of a bunch of smaller customers. "Re-education" would have a business cost in explaining why I can't do what I used to to provide support for customers.

Just imagine, someone calls because they're traveling and need to get into their zimbra webmail. Great, I change it and they're in. Now a week later I get a call that 'my email doesn't work' and have to walk them through the password change on any 1 of the 4 or 5 email clients my customers use.

This is a critical issue for me to solve before replacing my qmail server. Everything else is ready to go.

[uxbod]

Welcome to support

Why not just keep setting it to password123, that why they will never forgot.

As already said re-education is the way to go.

I have just migrated a large ERP solution, 900 users, and had to reset all their passwords as I changed the complexity of the password. We have had a huge volume of calls saying how do I do it, with just three staff. They do learn, it is how you explain it.

[LMStone]

Quote:

Originally Posted by uxbod

Welcome to support

Why not just keep setting it to password123, that why they will never forgot.

As already said re-education is the way to go.

I have just migrated a large ERP solution, 900 users, and had to reset all their passwords as I changed the complexity of the password. We have had a huge volume of calls saying how do I do it, with just three staff. They do learn, it is how you explain it.

I agree totally that re-education is the way to go, but you can also set a standard, initial and easy-to-remember complex password and force the user to change the password on first login via the Admin UI.

One reason we don't use passwords like password123 anymore is because we are seeing attempts from hackers to login to the Zimbra web interface.

One such complex password we used to use (please don't use it!) is 2mUch!cE, which translates as "Too much ice!" which, in Maine, is pretty easy to remember. :-)

Car and Driver magazine in the '70s had a picture of a Ferrari vanity license plate of IXLR8; same idea...

A password that is easy to remember but technically "complex" to use as an initial must-be-changed password is a pretty safe way to go IMHO.

Hope that helps,
Mark

[EdMartin]

It's not a new idea, but we impose complex passwords on all our users together with mnemonic phrases that (usually) enhance their ability to remember. For example, the phrase

For Pete's sake! Why does this password have to be so complicated?

corresponds to the password

FPs!Wdtph2Bsc?

With a small number of users, it's kind of fun to come up with the phrases. Starting from scratch with a thousand or more would be a real chore though!

[bdial]

I don't know if password encryption is done by zimbra or by openldap. If it's the latter, I know you can set openldap not to encrypt passwords and to store them in plain text. Then you could just do a ldap query to retrieve the password.

This of course would not be a best practice. However, if you're using a multi server setup where the zimbra ldap server is internal only maybe even behind another firewall then it would be significantly safe.

[p24t]

Here, we assign our users passwords. They don't always like it, but I always have their password, and I'm certain that they meet the password security guidelines. It's in our policy, so it makes SOX happy enough.

[bradb21]

Quote:

Originally Posted by p24t

Here, we assign our users passwords. They don't always like it, but I always have their password, and I'm certain that they meet the password security guidelines. It's in our policy, so it makes SOX happy enough.

One person that knows every persons password hardly seems SOX compliant to me???