Password management - another Plesk annoyance!

[madsere]

Firefox can normally save login/passwords and other form information for websites but with Plesk it seems unable.

Why is that?

How can it be fixed?

 

[Cranky]

I prefer it, it's more secure.

 

[madsere]

Excuse me but why do you get the idea this is more secure on a PC in a home office, with applied passwords and master password, why should it be less secure than writing down admin passwords on a piece of paper next to the PC - which is what most people do when they can't let the browser store the value.

Mozilla firefox, probably MSIE too, offers the option of storing passwords for those who prefer.

We are grown people, sysadmins who know what we are doing.

Why must Swsoft again assume we need them to babysit us?

At least make it optional!
.

 

[Cranky]

Originally posted by madsere
Excuse me but why do you get the idea this is more secure on a PC in a home office, with applied passwords and master password, why should it be less secure than writing down admin passwords on a piece of paper next to the PC

Because for many Plesk providers the typical customer won't be technically minded so there's a good chance their PC's are vulnerable. I've not seen or heard of hackers which can read a piece of paper near a vulnerable PC yet.

You and I may not need baby-sitting, but I know some of my clients benefit from this and would prefer their sites to be more secure than save them ~10 seconds to re-enter a password.

Optional perhaps, but it's hardly a critical feature is it?

 

[madsere]

Critical - I think it is. I manage a large number of servers, both Ensim, Cpanel and Plesk and it is p***annoying that I have to dig up paper with passwords every time I go to manage one of the Plesk servers.

I just don't like babysitter software, similarly with Plesk's forms that DEMAND that you to add things like address and telephone numbers for clients. An annoyance!

 

[acidbox]

I like the fact that plesk disables the ability to save usernames. It is a good security feature.

 

[Galactic Zero]

Use opera, or get a good password manager. Either will be useful in managing your passwords for different sites. I personally don't use IE's save passwords feature do to the many holes in IE.

I'm also a IT services provider besides a web host company and network security is one of my top issues with folks. Don't use common names etc.. Use hardened passwords 7 characters min, upper and lower case, numbers and special characters, use 3 of those 4 and your passwords will be more secure, then if you have a ton of sites that you manage, set your password manager to save your id's and pw's which also encrypts them and you have to log in to the manager which makes it even more secure..

Sorry if that sounds like a pain to you, but if one of your servers is hacked because your passwords aren't strong enough or your system gets compromised I think a little inconvenience is better than the headaches and heartbreaks of a server DOA for a few days.

 

[madsere]

I don't know how you got the impression I use MSIE. I use Firefox and I think Opera use the same password storage method and will have the same problems. , I only explained that also MSIE had the problem to not get brushed off on that account.

As for password quality, I of course fully agree, which is one reason why being able to store the password in the browser make sense.

Firefox password manager can be configured to require a master password.

 

[Galactic Zero]

Just was using IE as one example. Any browser can be hacked and has flaws in it. There was a recent patch for FireFox and opera. Just saying that those tools are not as secure as one would think. Therefore using a separate pw manager similar to Norton's Password Manager would be the preferred method of keeping track of passwords, not as convenient as the browser versions just safer.

 

[Cranky]

I still stand by my comments that Plesk should prevent the ability to save passwords - there are too many inexperienced users out there who would save without knowing the risks. As an option then maybe it's fine, but I think there are far more important features than this which should be introduced first.

 

[madsere]

Actually I strongly disagree.

Cpanel and Ensim both don't make such trickery to stop a generally understood feature from working. I don't see why SWsoft feels they need to babysit their users.

AFAIK there are no indications of this being a problem with Cpanel and Ensim.

Are you saying Plesk users more stupid than Ensim and Cpanel users?

 

[Cranky]

Originally posted by madsere
Are you saying Plesk users more stupid than Ensim and Cpanel users?

No, I'm not saying anything about the intelligence of users, more that this is another area where Plesk prevails. I don't know much of Ensim's login system, but I know CPanel still uses basic .htaccess password protection - I mean come on that's just stupid (yes, I know there's also an alternative but this was the default last I checked). SWsoft won't remove this feature in the near future, and I suspect it will be here for the long-term.

 

[madsere]

Why do you think Cpanel use .htaccess for ACL? Where have you got that from? Are you sure you're not just trying to change subject?

(It is of course possible to add .htaccess ACL but it's not the main ACL)

 

[Cranky]

I didn't mean .htaccess, I meant HTTP Authentication, different user list maybe, but same login mechanism and just as insecure.

I'm not going to argue, I've expressed my opinion and I think it's extremely unlikely that you will see the feature in Plesk for at least the next 12 months.

 

[madsere]

I realize it is getting a futile discussion, I just want to make my point that since Cpanel, Ensim and other CP's has no more safety problems caused by this than Plesk perhaps SWsoft should consider at least making it optional.

That is all, I rest my case. :shrug:

 

[Martin Ottiger]

Solved

Hi all

Change line 131 to say:
inputs.setAttribute('autocomplete', 'on');
in file:
/usr/local/psa/admin/htdocs/javascript/common.js

That fixes this annoyance

 

[fr0z3nk0]

thanx martin you just made my day !

 

[madsere]

The only problem is next time they update this file you need to reapply the hack. Dealing with dozens of Plesk installations that quickly becomes tedious.

Anyway with the current Plesk 10 nightmare this is now the least of my problems with Plesk.

 

[fr0z3nk0]

I think i just got overexcited. It doesn't seem to be storing username in password manager (only the password) so my autologin doesn't work
Any ideas ?

 

[ShaneG]

Change line 131 to say:
inputs.setAttribute('autocomplete', 'on');
in file:
/usr/local/psa/admin/htdocs/javascript/common.js

Does this not work for Plesk 10.3.1?

I've made the change and restarted the Panel and Apache, but the change isn't taking effect.

Thanks,
Shane.