password tag? ...confused

JohanSki · Sep 5, 2014

Hello,

I am reading the plesk documentation about "Tags Used in Notification Messages".

http://download1.parallels.com/Plesk/PP12/12.0/Doc/en-US/online/plesk-administrator-guide/59422.htm#

It says that one can use a <password> tag which will show the user's password ("user's password for authorization in Plesk").

How can Plesk show a password? I would assume all passwords are saved as hashes and not as plain text?

JohanSki · Sep 6, 2014

* bump *

Can someone please explain?

JohanSki · Sep 7, 2014

Well, anyone? Is Plesk storing passwords in plain text? If not, then how can it show a password? :-s

IgorG · Sep 8, 2014

I think this problem is addressed in the following KB - http://kb.odin.com/en/118772

JohanSki · Sep 8, 2014

Igor, in your link it says "For security reasons, Plesk Panel no longer sends passwords in plain text."

So... Plesk is storing passwords in plain text????!!! What is that about? You must be kidding me I hope...?
Please tell me this isn't true??!

UFHH01 · Sep 8, 2014

In former times, Plesk converted the stored hash passwords, before sending the user the defined password in PLAIN text. This was changed and therefore it says: "For security reasons, Plesk Panel no longer sends passwords in plain text."

JohanSki · Sep 8, 2014

... "Plesk converted the stored hash passwords" ...

I don't understand. A hashed password can not be converted to plain text :-s

"For security reasons, Plesk Panel no longer sends passwords in plain text."

True, I read that... it says it no longer sends them in plain text... but who says it doesn't store them in plain text?

IgorG · Sep 8, 2014

JohanSki said:
but who says it doesn't store them in plain text?

I say - latest versions of Plesk doesn't store passwords in plain text.

JohanSki · Sep 9, 2014

Thanks Igor... makes me wonder why it's noted in the Plesk 12 documentation then. Is the documentation not up to date?

Tsi-Shawn · Sep 9, 2014

You used to be able to just cat the passwords out /etc/shadow for the password that you needed. It WAS stored as plain text but it no longer is. Now when you try you get the AES hash and salt. So they are now stored as a hash. For example:

cat /etc/psa/.psa.shadow used to return the plain text password for the psa admin password. Now you get:

$AES-128-CBC3rfxxxxxxxxxxxxxxQ0Q79+SMAX7g==$OzJBeG1ZndoB7NVAtfA2Nw==

Hash has been changed of course to protect the identity of the innocent

JohanSki · Sep 10, 2014

Thanks for clarifying Tsi-Shawn!

password tag? ...confused

JohanSki

Basic Pleskian

JohanSki

Basic Pleskian

JohanSki

Basic Pleskian

IgorG

Plesk addicted!

JohanSki

Basic Pleskian

UFHH01

Guest

JohanSki

Basic Pleskian

IgorG

Plesk addicted!

JohanSki

Basic Pleskian

Tsi-Shawn

Basic Pleskian

JohanSki

Basic Pleskian

Similar threads