show user password in admin panel v.2.2.0

[Bald Bouncer]

Well I don't know about your experiences but I often use this feature when someone has forgotton their pass in the chatroom and ask to save messing about with emails etc I do change the mods passes for security and give them to them rather than have email notification which is always open to being hacked this is also done through the chatroom manually after checks and it's our own chat server and secure.
This is a feature I use and I would like to have to option to keep it as would it seems many others for the same reasons.

[thewitt]

I disagree that the new method of emailing a link that allows the user to get in with a new password is in any way hackable or insecure. It's very much more secure than having open, human readable passwords.

The users have a way to assign themselves a new password should they forget it, without even having to ask you for their password, so the need to breach security and give them a plain text password is not required to meet your end goal - only to meet the process you have chosen to use to hand out lost passwords.

I'm not sold. Any other reason?

-tim

[Ruth]

thewitt, i will be integrating some scripts with vB, that use the user.password, and the scripts don't work with MD5, how about this reason?

[dxb]

There are many reasons for me

1. I have alot of users that don't use a real email address and when they loose their passwords I keep emailing them and the process takes alot of emailing and you can imagine how many times I have to deal with this problem if you have a board with a large number of users

2. is to identify the trouble makers from their passwords ... alot of users keep using the same password or the same combination which makes them identifiable ....

3. alot of times when ever I do hacks ... I have to login using some of my moderators login names to check for troubles ... and I have over 50 moderator and normally I don't have the time to ask them for the password and wait for the answer .... a simple example is the moderator log hack ... I had one moderator name that was not being logged ... after using his name and testing I discovered it was because he used a custom user title

I don't say that I cant get away without having this function but without it will make my life alot harder

but I should have the option to have it or not to have it ... exactly the way it was with the older versions

[thewitt]

Quote:

Originally posted by Ruth
thewitt, i will be integrating some scripts with vB, that use the user.password, and the scripts don't work with MD5, how about this reason?

Opinion here, based on serious experience, not hyperbole. These are also insecure and need to be modified to use the encrypted password.

Storing plain text passwords is perhaps the single most insecure thing that anyone can do in an application. CS101 stuff here.

Use this opportunity to bring your applications up to a higher level of security standard...

-t

[thewitt]

Quote:

Originally posted by dxb
There are many reasons for me

1. I have alot of users that don't use a real email address and when they loose their passwords I keep emailing them and the process takes alot of emailing and you can imagine how many times I have to deal with this problem if you have a board with a large number of users

This is a problem. I cannot imagine why you do this, but if you do you are right - it's a problem. I would never consider allowing registered users without a real email account. Perhaps someone else who allows this will comment.

Quote:

2. is to identify the trouble makers from their passwords ... alot of users keep using the same password or the same combination which makes them identifiable ....

This doesn't change. The text encrypts to the same thing - you just can't read it as words. You should still be able to pull out duplicate password strings as MD5 passwords.

Quote:

3. alot of times when ever I do hacks ... I have to login using some of my moderators login names to check for troubles ... and I have over 50 moderator and normally I don't have the time to ask them for the password and wait for the answer .... a simple example is the moderator log hack ... I had one moderator name that was not being logged ... after using his name and testing I discovered it was because he used a custom user title

You see, this is one of the key issues with plain text passwords. You should never be able to log in as me on your forum without my express knowledge and permission. If I want you to log in as me, I'll tell you my password.

Quote:

I don't say that I cant get away without having this function but without it will make my life alot harder

but I should have the option to have it or not to have it ... exactly the way it was with the older versions

This was not an option with the other version. Viewing the passwords was, but encrypting them was not. You now have a more secure board, and we have a more secure product. I am more comfortable using your board because I know that my password is stored in a safe manner. Life is good.

-t

[Bald Bouncer]

Quote:

I'm not sold. Any other reason?

I wasn't aware I had to sell you on anything, you asked for reasons I gave you a few now as far as i'm concerned thats it I didn't really have to explain at all but I did, my main forum has been running for over 5 years now and we have never had a security breach and have always been very carefull.

[thewitt]

Quote:

Originally posted by Bald Bouncer
[clip]my main forum has been running for over 5 years now and we have never had a security breach and have always been very carefull.

As in most password exploits, you would likely never know if someone was using other people's accounts on your server because their passwords were exposed.

As for selling me, you posted here looking for support for adding a feature back into the product that is a no-no in every intellegent security resource on the planet. If you just wanted to ask Jelsoft to put it back in, you could have done so in a private email. That appears to me to be a solicitation for support, and I'm simply telling you that you don't have mine yet.

If you don't care, that's fine. I'm not put out by it, just giving you a chance to explain your reasoning for asking for what I consider to be a huge security hole in the software.

I would suggest that it will take more than a "put it back cause I don't like the change" argument to make a difference - but I've been wrong before.

Now someone could certainly write a hack that intercepts the password validation process and writes the plain-text, pre-encrypted password into another field in the database. I suspect this will be the way you'll expose the passwords in your forums in the future, and not by some reversal of design in vBulletin - but again, I've been wrong before.

If you want Jelsoft to put it back the way it was, you might also post your concerns in the vBulleting community forums and not in the hack forums. I'm not sure if that will make a difference, but I susect that's a better place to ask Jelsoft for changes.

Good luck,

-t

[Bald Bouncer]

Quote:

As for selling me, you posted here looking for support for adding a feature back into the product that is a no-no in every intellegent security resource on the planet. If you just wanted to ask Jelsoft to put it back in, you could have done so in a private email

No if you read back thats not what I asked for at all, I just agreed with dxb when he said he should change the request to How to remove the password encryption from the upgrade file and have the password shown in the admin panel and as the showing passwords was a hack in the first place (Ithink i'm right that it was a small hack) the question couldn't be answered in the main forum.

[thewitt]

Showing the passwords in the admin panel might have been a hack once, but it's been in the product proper for all the 2.n versions. I'm not sure when it was added - that is if it was not always available with the plain text versions.

-t