2
Export Users WITH Password
Question asked by Jay Dubb - 3/7/2022 at 8:22 AM
Answered
System admins are able to view user passwords one by one.  They are also able to export a list of all users to CSV.

Is there a way for a system admin to export a list of users AND their passwords?
 

10 Replies

Reply to Thread
0
Emily Ward Replied
Employee Post
Hi Jay,

Thanks for posting! Because SmarterMail is API driven you can use the API to get users' passwords. I've created a ticket with your question to provide you more information about this.
Emily Ward
Customer Relations and Partner Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Fadi Hussein Replied
Can you please share your finding here since im as well interested to see best way to export the list.

thank you
1
Eric Tykwinski Replied
I personally would rather have an option to hash/salt the passwords to make them unrecoverable.
Look at the news of every bad security breach and they are taken to task for not doing it.
1
Emily Ward Replied
Employee Post
Hi Fadi,

The API for exporting with passwords is not in our documentation yet so you would need to reverse engineer it to get the call you'll need. I started a ticket with you to provide you with that information.
Emily Ward
Customer Relations and Partner Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Emily Ward Replied
Employee Post
Another option to at least retrieve the passwords, but not export them, can be found in Tony's comment here: https://portal.smartertools.com/community/a94735/retrieving-passwords-not-working-per-api-documentation.aspx#136070
Emily Ward
Customer Relations and Partner Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
2
Jay Dubb Replied
@Eric Tykwinski :  I agree this would be a nice option.  Emphasis on the "optional" part.  There was quite a ruckus in these forums a few years ago when the 'view password' option was rumored to be going away in a future upgrade.

Removing that ability would be terrible for domain admins, especially when they lack the ability to impersonate users.   See my thread: https://portal.smartertools.com/community/a94469/feature-request-impersonate-user-by-domain-admins-not-just-superuser.aspx     We have a fairly new customer who came onboard with over 1,400 users whose admins HAD impersonation at their prior host, but lost it when they came to us.  They beat us up weekly over why that feature is taking so long coming to SmarterMail.

Without the ability to impersonate, and without the ability to view passwords, admins would be (almost) helpless to diagnose user problems, especially when it requires viewing headers, etc.  Users often forget their passwords, especially when it's a one-time drop into Outlook and their mobile device.  Forcing a password reset each time an admin needs into the mailbox (due to lack of impersonation or pw viewing) would be a disaster.

I wrote that more for the benefit of all of us, in case SmarterTools is toying with the idea of taking away password viewing.
 
0
John C. Reid Replied
Emily,

Once you have reverse engineered how to do this with the API, we would appreciate a copy as well. It may well allow us to refactor our current method of having to loop through getting all the domains, then all the users for each domain, then retrieve and store all this in a database just so we can pull the users and the passwords together. Obviously this is very compute and time intensive. We have around 350 domains and several thousand email addresses on the server, so it takes a tic for this to complete.

Thank you. 
John C. Reid  / Technology Director
John@prime42.net  / (530) 691-0042
1300 West Street, Suite 206, Redding, CA 96001

0
Zach Sylvester Replied
Employee Post Marked As Answer
Hello, 

Thank you for getting back to us. Here is a script I made in Python to grab all the usernames as well as the passwords from a given domain and export them to a CSV file. example2.zip I've attached it here. You will have to change the URL and the domain at the top of the file as well as change the login information on line 51. You will need to install Python 3 and add it to the path. Once that is done you will need to open cmd and type 
pip install requests 
Then you can run the script by going to the directory in cmd and typing 
python insertfilenamehere.py

Please let me know if this helps. 

Kind Regards, 
Zach Sylvester
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Zach Sylvester Replied
Employee Post
@John C

The way that you're doing your requests is how it needs to be done. Currently, the API documentation is incorrect. The GetUser API call and ListUsers API call don't actually return the password. You need to use the show-password API call to do this. This means that two API calls are required. And even if it was a single call I don't think it would make it much more efficient since on the code side of things the show password method would still have to be run on the server. If anything spacing it out reduces load over time. But If you mean API script length I can see what you mean there. 

Kind Regards, 
Zach Sylvester
Technical Support Specialist
SmarterTools Inc.
(877) 357-6278
www.smartertools.com
0
Jay Dubb Replied
Thank you, Zach!
 

Reply to Thread