Dismiss Notice
We would like to remind you that we’re updating our login process for all 3CX forums whereby you will be able to login with the same credentials you use for the Partner or Customer Portal. Click here to read more.

Passwords visible in the admin console!

Discussion in 'Ideas' started by Christoph Maggi, Dec 1, 2017.

Passwords visible in the admin console! 4.5 5 8votes
4.5/5, 8 votes

  1. Christoph Maggi

    Joined:
    Dec 1, 2017
    Messages:
    5
    Likes Received:
    1
    Please remove the possibility for an administrator to see a password of a user.
    No administrator should see any password of a user. This means: please remove the "make visible button" for Authentication and Web Authentication. Thank you! :)
     
  2. accentlogic

    accentlogic New Member

    Joined:
    Nov 14, 2013
    Messages:
    181
    Likes Received:
    77
    We use our own SMTP server for email on cloud setups. If we give the client Console access they can see our SMTP account credentials. We need the option to disable reveal.
     
  3. 3CXDude

    3CXDude New Member

    Joined:
    Oct 1, 2015
    Messages:
    110
    Likes Received:
    30
    Agreed, same with FTP too
     
    accentlogic likes this.
  4. Silly English Kniggit

    Joined:
    Sep 13, 2017
    Messages:
    220
    Likes Received:
    89
    We use this feature virtually daily. Please explain how admin would be able to see user password without this feature? Resetting the password is not an acceptable replacement. Consider multiple phones per extn with phones lightly / unmanaged in remote locations - changing the password to add one phone would block all the others (and probably blacklist them) until the passwords could be changed.
    I suggest what you want is a sub-admin level of access - this has already been requested in other posts.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    the123, PatrickS, the60 and 1 other person like this.
  5. Christoph Maggi

    Joined:
    Dec 1, 2017
    Messages:
    5
    Likes Received:
    1
    A feature?, really??????:confused:
    This is a security issue, nothing else!!!:eek:
    There is nothing to explain, no admin should never see any password of a user. (on any system)
    And of course, resetting the password is the right way.;)
     
  6. jeroendebruijn

    Joined:
    Nov 9, 2015
    Messages:
    35
    Likes Received:
    18
    I agree with Silly English Kniggit that removing the show password function would be dreadful for integrators.
    Especially email and ftp passwords.
    • a tenant administrator can use their own Office 365, Gmail or smtp server. And with the latest version you certainly are able to use the build in smtp server, if you do not want the tenant user to use their own.
    • As for backup. I do expect the VPS or host service provider to make snapshot backups. FTP backups is something i want to control myself. streaming the backup to the ftp server of my choice.
    • As for phone / sip account passwords: I certainly need them to troubleshoot, or configure phones and other devices. Webclient passwords is debatable, but since the support calls of these will be sent to my inbox too, I can word quite faster if i do not have to change the passwords because i have to login as the user. Resetting account passwords means prepossession the phone, with often with out the rps ability or VPN (talking about security beaches), basically meaning i have to physically drive to the client to do this,
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...
    the60 and Silly English Kniggit like this.
  7. Vader the 2nd

    Joined:
    Dec 5, 2017
    Messages:
    2
    Likes Received:
    0
    KeePass just as an example?
    To show a stored password it has to be somewhere in a database with a reversible encryption or even clear text. Both not really best practices from a security perspective.
     
  8. PatrickS

    Joined:
    Sep 25, 2017
    Messages:
    22
    Likes Received:
    4
    In my humble opinion: Admin should be able to see this password: as it is only used for webclient.

    It's the integrator's fault to make it the same password for other systems. Why choose the same password?
     
  9. certified1

    Joined:
    Jul 29, 2013
    Messages:
    18
    Likes Received:
    1
    i think this is 3cx last thing they should think about regarding security concerns...

    it's a difference if there is a password for emails or some "private" Data (which shouldn't be on business devices) or if there are passwords for phone provisioning.
     
    craigreilly likes this.
  10. craigreilly

    craigreilly Well-Known Member

    Joined:
    Feb 1, 2012
    Messages:
    3,545
    Likes Received:
    298
    This request doesn’t work for many installs.
    If implemented - it must be an option only.

    Even hiding the VM password - I can login to the OS and see the raw files.
     
    Stop hovering to collapse... Click to collapse... Hover to expand... Click to expand...