Plain text passwords

Discussion in '3CX Phone System - General' started by asmith3006, Dec 15, 2014.

Thread Status:
Not open for further replies.
  1. asmith3006

    Joined:
    Mar 5, 2014
    Messages:
    94
    Likes Received:
    5
    I've just looked through the backup from my 3CX system and found that my web admin password is in there in Plain text!

    This means my password is stored in the system in plain text? Why is this?

    At a minimum I expected it to be hashed, ideally salted and hashed.

    Is there somewhere this can be reported as an issue?
     
  2. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,362
    Likes Received:
    227
    The fact that you can recover the password, in a backup, has helped more than a few users out of a situation where it was forgotten.

    The thinking behind leaving it visible is probably that you should be keeping the backups in a location that is not accessible by anyone but the system administrator.


    Personally, I do duplicate back-ups to USB drives stored on a network device that nothing else, on the network, has access to. you could also do a backup (or two), to a USB device, then remove it and store in a safe location.

    If your backups are currently saved in a location that allows "general" system users access, then you might want to re-think that.
     
  3. Bunce

    Joined:
    Sep 19, 2012
    Messages:
    19
    Likes Received:
    0
    No offence, but the method that passwords are stored in a system is completely irrelevant to, and independent of, the backup system used.

    If you want to talk procedure then any organisation worth an inch would be saving password in a password management system independent of the phone system, with defined recovery procedures and so that argument is flawed.

    Quite simply - this is something that should have been rectified in a Version 1 product, let alone V-12.

    Auditors would have a field day and if 3CX wants to continue to expand and be taken seriously in corporate/government circles then this would be one thing I would be focussing on..
     
  4. leejor

    leejor Well-Known Member

    Joined:
    Jan 22, 2008
    Messages:
    10,362
    Likes Received:
    227
    In a perfect world I would agree with you, and many large installations probably already do as you suggest. However, 3CX installations vary in size and complexity (along with support) from home use, through small businesses and up, and unfortunately, all do not store passwords, let alone do regular backups in a , shall we say, an organized manner. They are free, however, to encrypt a backup in any manner they choose, if there is a concern.

    I do agree that a business with high security expectations should, perhaps, be able to choose a 3CX version/option, that does encrypt a backup, including passwords, but, I would suggest that this should remain an option for those that choose not to use it.

    You might want to suggest this feature in... http://www.3cx.com/ideas/index.php

    Or browse through, and see if it has already been suggested.
     
Thread Status:
Not open for further replies.