[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [cobalt-users] Checking user password
- Subject: Re: [cobalt-users] Checking user password
- From: "Steve Werby" <steve-lists@xxxxxxxxxxxx>
- Date: Wed Dec 5 11:36:51 2001
- Organization: Befriend Internet Services LLC
- List-id: Mailing list for users to share thoughts on Cobalt products. <cobalt-users.list.cobalt.com>
"Kham Vue" <kvue@xxxxxxxxxxx> wrote:
> I have RAQ4 and RAQ3. Is there a way to check the user's password?
Not directly. The passwords are stored one-way encrypted, meaning they
can't be decrypted.
> If someone forgot their password, I usually change their password via
> the control panel.
That's about the best you can do, unless...
> Is there a way just to see what it is instead of changing it?
You could use something like John the Ripper, which is a password cracker
you can install on the server. It works by taking a list of words,
word-number combinations, etc. from a dictionary and encrypting them, then
comparing the encrypted results with the encrypted passwords stored on your
server. If there's a match it notes the cracked password. It's good for
detecting weak passwords and can actually detect them very quickly, but if
the passwords are strong then it's not effective for your purposes (that's a
good thing) since by the time it cracked the password (if it did) your user
would have likely taken their business elsewhere. On a few servers I manage
I run it periodically to check for weak passwords, then I contact the users
with weak passwords and ask that they change them.
John the Ripper: http://www.openwall.com/john/
--
Steve Werby
President, Befriend Internet Services LLC
http://www.befriend.com/