Facebook
Twitter
H
Henk van Andel
Guest
Anyone can recover their password when logging in to Plesk. Including mail clients, logging in as me@domain.com.
However, I found that:
The original password is send to a known e-mail address; no matter what address is entered, Plesk sends it to me@domain.com. The client cannot access this because he lost his password! Catch 22? Or do I do something stupid? You can enter an email-address for receiving the lost password, but addresses other than me@domain.com are being refused. Logically, because otherwise everybody could steel the password of anybody just by knowing his e-mail address for logging in.
Any comments? Suggestions?
Moreover, sending the original password in clear text by e-mail is unsafe. Plus it implies that the server stores the original passwords (hopefully encrypted?!) where they could e hacked.
To me it seems preferable to send a new temporarely password and urging/forcing the client to change it immediately over https.
However, I found that:
The original password is send to a known e-mail address; no matter what address is entered, Plesk sends it to me@domain.com. The client cannot access this because he lost his password! Catch 22? Or do I do something stupid? You can enter an email-address for receiving the lost password, but addresses other than me@domain.com are being refused. Logically, because otherwise everybody could steel the password of anybody just by knowing his e-mail address for logging in.
Any comments? Suggestions?
Moreover, sending the original password in clear text by e-mail is unsafe. Plus it implies that the server stores the original passwords (hopefully encrypted?!) where they could e hacked.
To me it seems preferable to send a new temporarely password and urging/forcing the client to change it immediately over https.
