• We value your experience with Plesk during 2024
    Plesk strives to perform even better in 2025. To help us improve further, please answer a few questions about your experience with Plesk Obsidian 2024.
    Please take this short survey:

    https://pt-research.typeform.com/to/AmZvSXkx
  • The Horde webmail has been deprecated. Its complete removal is scheduled for April 2025. For details and recommended actions, see the Feature and Deprecation Plan.
  • We’re working on enhancing the Monitoring feature in Plesk, and we could really use your expertise! If you’re open to sharing your experiences with server and website monitoring or providing feedback, we’d love to have a one-hour online meeting with you.

password tag? ...confused

Well, anyone? Is Plesk storing passwords in plain text? If not, then how can it show a password? :-s
 
Igor, in your link it says "For security reasons, Plesk Panel no longer sends passwords in plain text."

So... Plesk is storing passwords in plain text????!!! What is that about? You must be kidding me I hope...?
Please tell me this isn't true??!
 
In former times, Plesk converted the stored hash passwords, before sending the user the defined password in PLAIN text. This was changed and therefore it says: "For security reasons, Plesk Panel no longer sends passwords in plain text."
 
... "Plesk converted the stored hash passwords" ...

I don't understand. A hashed password can not be converted to plain text :-s

"For security reasons, Plesk Panel no longer sends passwords in plain text."

True, I read that... it says it no longer sends them in plain text... but who says it doesn't store them in plain text? :(
 
Thanks Igor... makes me wonder why it's noted in the Plesk 12 documentation then. Is the documentation not up to date?
 
You used to be able to just cat the passwords out /etc/shadow for the password that you needed. It WAS stored as plain text but it no longer is. Now when you try you get the AES hash and salt. So they are now stored as a hash. For example:

cat /etc/psa/.psa.shadow used to return the plain text password for the psa admin password. Now you get:

$AES-128-CBC3rfxxxxxxxxxxxxxxQ0Q79+SMAX7g==$OzJBeG1ZndoB7NVAtfA2Nw==

Hash has been changed of course to protect the identity of the innocent :)
 
Last edited:
Back
Top