Storing raw passwords in mysql

  • Dear Developers,


    I realized that i-MSCP stores raw (plain text) passwords in MySQL tables (ex. mail_user, sql_user).
    This is very dangerous security risk. Why do not use encryption in 2016?
    The old ispCP encrypted in SQL passwords in sql_user tables, so method is working. What's the problem?
    Dovecot able to use sha256, sha512 encrypt too.
    I can't understand...Why don't use encryption?

  • Hello,


    Many passwords are stored as plain (ftp, sql) to allow auto-login feature. We know that this is bad and this issue will be addressed in 1.4.x Serie.However, note that access to imscp table is restricted to root and Master i-MSCP user. If someone can access the imscp database, this mean that the sql root password and/or Master i-MSCP SQL user is compromissed.

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • I can't understand...Why don't use encryption?


    The thing you mean is called a key derivation function (KDF )and usually has nothing to do with encryption.



    If someone can access the imscp database, this mean that the sql root password and/or Master i-MSCP SQL user is compromissed.

    The problem with plain text password is, that most people don't do one of the following things


    • Reuse passwords in different occasions
    • Change passwords regularly
    • Tell your customers that you have been hacked
    • Know when your server has been hacked
    • Keep important files where noone can access them


    IMHO this issue should really be adressed in the not too distant future.

  • Many passwords are stored as plain (ftp, sql) to allow auto-login feature.


    Is it certainly necessary? OK, phpmyadmin autologin is useful, but I think i is not neccessarry for mail and ftp.
    Phpmyadmin autlogin worked in old ispcp omega whithout plan passwords (maybe with KDF) . Why have you chosen another way?



    The thing you mean is called a key derivation function (KDF )and usually has nothing to do with encryption.


    So-so. I think, KDF need to Phpmyadmin autologin, but mail passwords should be full encryption, ex. SHA256/SHA512. Dovecot works perfectly with SHA512,and Courier with classic crypt.

  • Phpmyadmin autlogin worked in old ispcp omega whithout plan passwords (maybe with KDF)

    I was one of the main developers of ispCP. In ispCP the SQL user passwords were encrypted using Blowfish algorithm in CBC mode. Thus, it was possible to decrypt the passwords at run-time for use in auto-login feature but the problem was that if the keys for decrypting the passwords were compromised, lost or regenerated (for any reasons), the passwords were to be updated.. In a shared hosting environment, that is not a viable solution. Asking all customers to update their passwords is something crazy.


    Anyway, there is no need to debate here. The passwords will be all encrypted hashed in next i-MSCP Serie (auto-login will be removed or implemented using another method). We cannot do that in current serie because too much changes are involved in core.


    Thank you for your understanding.



    Note: Below, you can see a part of code that was used for auto-login feature (pma) in ispCP:


    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • So-so. I think, KDF need to Phpmyadmin autologin, but mail passwords should be full encryption, ex. SHA256/SHA512. Dovecot works perfectly with SHA512,and Courier with classic crypt.


    All algorithms you mentioned are key derivation functions. Some are based on hash functions (SHA256, SHA512), crypt is based on DES. The thing they have in common is, that reversing is computationally expensive. Decryption is usually quite inexpensive, when you have the key.


    Anyway, there is no need to debate here. The passwords will be all encrypted in next i-MSCP Serie (auto-login will be removed or implemented using another method). We cannot do that in current serie because too much changes are involved in core.


    Encrypted or hashed?

  • @f4Nm1Z9k2P



    Encrypted or hashed?


    Sorry for confusion, I meant hashed using sha512 or bcrypt. Generally speaking you cannot decrypt password hashes. In ispCP, passwords for SQL users were encrypted. But in i-MSCP serie 1.4.x, they will be hashed. Thus, I'll see how we can implement auto-login feature (if we can).


    Does this answer fit your disagreement on language abuse? :P

    badge.php?id=1239063037&bid=2518&key=1747635596&format=png&z=547451206

  • Just one question:
    If I move to another server, is i-mscp able to recreate all logins again after a database restore if everything is hashed/crypted?