vpopmail shocker

1086585283000

Today I had a real shock when I discovered that my 'out of the box' installation of vpopmail keeps passwords in the clear. I had been using this set up for quite sometime without giving it a thought, today for another reason I wanted to play around with a .qmail file and seeing the vpasswd file also on the same folder, curiosity got the better of me and I just wanted to see what it looked like.

I was expecting the vpasswd file to be similar to the /etc/passwd file. In the /etc/passwd file the password is stored after one way hashing it. That means even the super user cannot read it. In the case of vpasswd I found the format does look somewhat like the /etc/passwd file except for the fact that the last column contains the passwd in the clear.

Now to figure out a better way of saving passwords.

comments powered by Disqus