2
SmaterMail 15.0 Professional - Can't View User Passwords
Question asked by Doreen Jones - April 14, 2016 at 2:48 PM
Answered
I just got 15.0 and can't view my user passwords.  Something about being in Authentication Mode whatever that is.  I have clients who routinely forget their passwords.  I'm in the process of setting up password retrieval on my system.  But meantime, did I lose the ability to see a user password?

9 Replies

Reply to Thread
2
Andrea Rogers Replied
April 15, 2016 at 8:23 AM
Employee Post
Hi Doreen,
 
In version 15.x, the ability for a System Administrator to view a user's password has been removed. It has been replaced with the ability to create a temporary password to access the account. Please see this thread for more information: http://portal.smartertools.com/community/a87728/show-password-in-15_x.aspx
 
Thank you,
Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
1
Gerry Dubois Replied
July 3, 2016 at 4:06 AM
It sucks !
1
Matt Petty Replied
July 14, 2016 at 9:40 AM
Employee Post
Our next update will reintroduce this to the interface. Our next update should be soon.
 
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Andrea Rogers Replied
July 15, 2016 at 8:40 AM
Employee Post
With today's minor of 15.x (15.2.6039) the Show Password option is back, albeit temporarily.
 

As per the release notes, it's a setting in the mailConfig.xml file. By default, the Show Password option is disabled (set to False), but you can simply edit the XML and change the field to True to have it displayed again. You'll want to edit the <allowViewingOfPasswords></allowViewingOfPasswords> row to activate the option. (Stop the SmarterMail service before editing system files.)

In case you upgrade but don't see the <allowViewingOfPasswords> field in the mailConfig.xml, close the file and log in to SmarterMail as a System Admin. Go to any Settings page in SmarterMail and simply save the page. This will write out a new mailConfig.xml file that will include the new field. 

 

Thanks,

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Bruce Barnes Replied
July 15, 2016 at 9:43 AM
SmarterMail caved: anyone enabling this feature violates HIPAA / HITECH and credit card security on thier SmarterMail server. Want truly secure hosting? We nake ZERO exceptions
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
2
Scarab Replied
July 15, 2016 at 2:56 PM
I was okay with the Password Recovery options and not being able to view Passwords at all, but I was working under the assumption that was because Passwords in v15 were Salted & Hashed in accordance with Industry Standards and were not reversible.
 
Obfuscation through Obscurity is not really Security. As long as they could be recovered through third-party Apps using the API means it didn't really matter that they were hidden from System Admins or Domain Admins, as they were still recoverable in some form, and not really in compliance.
 
So, I for one, am at the same place I was before and after the change. I know that many people are happy about being able to set their Smartermail installation to allow Passwords to be revealed, but I would much rather have it to where Passwords couldn't be revealed by either Smartermail or through a third-party App using the API, where they were properly Salted & Hashed, and truly secure.
0
pjeski Replied
July 16, 2016 at 11:12 AM
HIPAA doesn't apply to most people.
1
Bruce Barnes Replied
July 16, 2016 at 3:21 PM
More than anyone might think! Just because you don’t originate a message, doesn't mean is,does not need to be HIPAA / HITECH / SARBANES OXLEY compliant if it so much as passes through a domain hosted on your server. Enforced TLS, DMARC, secure passwords, and the removal of the ability to prevent non TLS, non-encrypted data connections, help us prevent such non-compliant traffic from using our SmarterMail servers.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting
2
Bruce Barnes Replied
July 17, 2016 at 5:47 PM
Linda; Meerly having the feature capable of being enabled causes any SmarterMail server to fail HIPAA / HITECH; SARBANES OXLEY, and Credit card compliance audits. They also want the ability to reverse engineer encrypted passwords disabled, and all data encrytped, bith at travel and rest, with read-only logs stored for a minimum of 60 months. We must also know WHERE the data is,stored at all times. We have several HIPAA / HITECH compliant accounts and have to regularly (at least annually) meet with them to show compliance. Everyone is,whether directory, or indirectly, responsible for being compliant, even if we don't directly host, or orginate compliance required data.
Bruce Barnes
ChicagoNetTech Inc

Phone: (224) 444-0169

E-Mail and DNS Security Specialist
Network Security Specialist

Customer Service Portal: https://portal.chicagonettech.com
Website: https://www.ChicagoNetTech.com
Security Blog: http://networkbastion.blogspot.com/

Web and E-Mail Hosting, E-Mail Security and Consulting

Reply to Thread