Showing User Passwords in SM16
Question asked by John Archer - May 30, 2017 at 5:04 AM
Answered
I just upgraded to SM 16. Found where to activate the Show User Passwords option and enabled it.
Now I don't see the option to display the current User Account Password. Where would I find it?

34 Replies

Reply to Thread
0
Andrea Rogers Replied
Employee Post Marked As Answer
Hi John! 
 
The ability to view a user's password is still available in version 16.x. Follow these steps to enable the Show Password functionality in 16.x: 
 
  1. On the server where SmarterMail is installed, navigate to Administrative Tools > Services and Stop the SmarterMail Service. 
  2. As an Administrator, edit the mailConfig.xml file. (As always, make a backup copy first.)
  3. Find the line: <allowViewingOfPasswords>False</allowViewingOfPasswords>
  4. Change this value to True. 
  5. Save the file, ensuring it overwrites the mailConfig.xml file found in the Service folder. 
  6. In the Services window, Start the SmarterMail Service. 
 
After that's been done, log into the SmarterMail interface as a System Administrator and complete the following:
 
  1. Click on the Settings icon and then General Settings. Save a change to any setting in this area. (You can simply toggle a setting off, Save, then toggle it back on and Save again.)
  2. Click on the Manage icon and Manage a domain to impersonate the Domain Admin. 
  3. In the Accounts section, open a user's configuration options. 
  4. On the Account card, you should now find a blue Show Password button. 
 
 
Keep in mind that it's important that the SmarterMail service is stopped before making the change to the mailConfig.xml file and you must save a setting in the System Admin settings in order for this option to appear. Without doing those two things, you may not see the Show Password option, even after changing the value to True.
 
Let me know if you have any questions or trouble! 
 
[EDITED: to remove mention of removing Show Passwords in SmarterMail 17.x]

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

5
John Archer Replied
All is working now thanks.
It is unfortunate that the password option will no longer exist.
My users do not know their passwords on an average since they use Outlook
and not the Web interface which makes for some serious problems w/o the password option.
 
I guess I will need to start looking for a replacement by the time I need to go to release 17.x
3
Stojan Cergol Replied
I need for my costumers this function to be enabled.
I also need to start looking for a replacement if you disable in v17.
2
Damir Matešić Replied
I will also need to find another solution if you remove this option :(
0
Ronald Raley Replied
It will be difficult to find a robust solution like SmarterMail that allows you to see everyone's password. Displaying passwords is becoming a thing of the past.
0
Paul Blank Replied
Not really a great excuse. It should remain optional.
3
Jason Cross Replied
I won't go so far as to say I will definitely switch if this option goes away, but it will certainly make my life much more difficult.  Most of my customers host with me BECAUSE I can do things like look up their passwords and help with things like that.
1
Ok I realize the stance ST is taking with this approach for better security, etc. I applaud that, but in my case and prior comments in this thread are that users will forget their password. It's a given and it's going to happen. The biggest issue we deal with on the support side is when a user gets a new phone or a tablet, they need their password because they forgot it. So if we no longer have the ability to even enable this feature if we want it, then resetting a password for a user means we will have to set that new password up on numerous devices (phone, tablet, computer, etc.). So a 2 minute call now takes 5-10 times longer than it should. I get at least 10 calls a week for users that bought a new phone, computer, etc. and they need to know what their password is.
 
As a server administrator, our company only gives server admin access to a limited amount of people in our office. So why not either (A) give us the option like what v16 has, or (B) some utility we can run on the local server to get a password list for a given user or a full list.
 
Just my 2 cents for what it's worth.
1
Paul Blank Replied
As stated before, I hate the idea of not being able to see passwords. However, the "quick fix" here is to NOT allow users to change their passwords, and for the email admin to keep a list of all passwords in (hopefully) a secure, protected file/location. In the long run, this will have the same result, but, of course, is quite a security risk in itself. And it certainly removes any potential liability on the part of ST. I have clients right now with corporate gmail, who either keep such a list or request that I do(!).
 
All that said, the UI in v17 will be a much bigger issue, especially if support is ended for v15.
0
Paul Blank Replied
See my response below. "Just" keep a list. Imperfect (as is the idea itself of viewing passwords in the first place), but there you are.
0
Jason Cross Replied
I don't really see that as a quick fix. With hundreds of users, some of whom change their own passwords, some of whom don't, a list isn't practical. I view the mail server as a "protected location".
0
Jason Cross Replied
It would really be less of an issue if there was the ability to set a new permanent password on the user easily.  As it stands now, if someone forgets their password and wants me to set a new one, I have to login as admin, set a temporary password, copy it, log out as admin, log in as them with the temporary password, go to change password, enter the temporary password again and enter the new permanent password twice.  This is especially annoying from a phone or tablet.
0
Paul Blank Replied
Right. You would have to restrict the ability for them to change their password. Sorry to say, it's nowhere near perfect.
0
Paul Blank Replied
Right. Can you not restrict their ability to change the password in the first place?
0
Andrea Rogers Replied
Employee Post
Hi Jason. An easier method of applying a new password to a user's account is to log in as the Domain Admin (or Manage / Impersonate the Domain Admin) and head to the user's mailbox configuration. You can change the user's password without knowing the current password being used. In 16.x, click the Actions (...) button > Change Password. In 15.x, you would just enter the new account password in the New Password / Confirm Password fields. Then Save.

Also, Paul, you CAN prevent users from changing their account password. This can be done per user or globally. In both 15.x and 16.x, this setting is available in the User Defaults templates, which can be accesed by System or Domain Admin. You can enable "Disable password changes" on the default template for new users, propagate it to existing users, or apply it to individual users as needed.

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

0
Paul Blank Replied
Thanks, Andrea! Nice that, as before, you can apply it to individual users.
0
This line is not listed in the .xml file that you have suggested. any thoughts?
0
The line in the .XML file named here above doesn't exist. What now? was this removed from 16 already?
0
Matt Petty Replied
Employee Post
No, it needs to be added, unlike other variables in the XML it is not automatically generated.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Thank you for the answer, is there anywhere specific it should be added or can it go down under the last active line?
0
Matt Petty Replied
Employee Post
As long as it's below the <MailConfig> line and above the </MailConfig> it is fine.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Well, idk if its me, but I copied/pasted the line at the bottom between the 2 lines of code, Changed False to True, logged in as the admin, made the change and saved, changed it back so I didn't forget, and still no blue box in the user accounts. Any other ideas are appreciated. Thanks again.
0
Matt Petty Replied
Employee Post
You turned off the service, made the change, then turned the service back on correct?
Any changes made to the XML while the service is running is likely not to be read in and will be overwritten once something changes.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Robert Emmett Replied
Employee Post
Ray, if the <allowViewingOfPasswords> element is missing from the mailConfig.xml file, you can simply add it and set the value to False or True appropriately. You will need to stop the mail service before modifying the file and restart it after saving the changes to it. If the line is missing, internally the server treats it as default False: viewing of passwords is disabled.
Robert Emmett
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
I agree. If every time a user forgets their password, I have to change it for them in Outlook or whatever program on their desktops, laptops, phones, tablets, and other devices, I will no longer be using SmarterMail because they would just be a DumbMail problem for me.
comnet
1
nickban Replied
VERY, VERY disappointed with this feature getting removed!!! Please reconsider!! I use this for a small 4-person company and a couple personal sites. This was a great feature I used, if you won't allow this any more I will need try to manage a changeable password list and this is less safe!!
0
nickban Replied
What do I do if the recover email for a user is obsolete/lost and unusable? This happens to users, you know... what do I tell them I need to delete their account, destroy all emails and recreate it?
0
Matt Petty Replied
Employee Post
You can impersonate their account, give them a new recovery email, and then have them recover using a working email. Is one potential alternative...
You can also impersonate their account and set them a password, if you're using 16, you can assign them a simple password and check "Force this user to change their password upon login". This is another alternative.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Matthew Leyda Replied
Matt
Can you explain how "Impersonate User" by the admin who cant be trusted is less of a security breach? If you don't want to allow us to see passwords you should take out the admins ability to "Impersonate users", "Change password"
Kendra Support
http://www.kendra.com
support@kendra.com
425-397-7911
Junk Email filtered ISP
0
Matt Petty Replied
Employee Post
It's not necessarily the access to the account I care about, it's the password I use. Many people (including me for some cases) use the same password for the same services. When I signup for a service, I can expect anything relating to that service can be accessed by the people who operate the service. Password is one of those things I consider to be mine, I would prefer no one see it under any condition. This isn't really about being able to access someone's emails and such, because even without impersonation could be done through file system access among other mechanisms. It's about protecting the user's password.

This is just my opinion on the matter though.
Matt Petty
Software Developer
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Nick Jansen Replied
Any security issues of being able to view existing passwords/storing password data in a reversible format aside, you *can* still recover existing passwords if they're saved in Outlook if you really need to. Outlook, even in the latest version 2016 - 1711, keeps the actual saved password in the password field (File -> Account Settings -> Account Settings -> Change). You can unhide the password there with one of the many utilities online that reveal the contents behind the asterisks of password fields. This of course assumes you have the ability to actually use the person's computer though.
3
Ng Cher Choon Replied
SM16 was selected to replace our current MailEnable because we can help our customers with their password. We look forward that in SM17. It will be a serious factor for us moving forward. We hope SM will reconsider removing this feature.
3
Paul Blank Replied
Completely agreed, Ng. But other factors at ST are forcing my clients off of SmarterMail, so it will probably be a moot point, going forward.
 
2
Andrea Rogers Replied
Employee Post
Hi everyone,
 
After many discussions related to this functionality, here's where we're at: In SmarterMail 17.x, which is currently in BETA, the Show Password feature is available by default. The primary Administrator account will have access to view all user passwords. All secondary Administrator accounts can have this functionality enabled or disabled using the administrator's account setting, "Allow show passwords while impersonating". In addition, each domain configuration now contains a new setting on the Features card for "Show Passwords to Domain Admins". When enabled, all domain admin accounts on that domain can view user passwords. We hope this new domain setting helps to offset some of the system admin workload to domain admins. 
 

Andrea Rogers
Communications Specialist
SmarterTools Inc.
(877) 357-6278

www.smartertools.com

Reply to Thread