aaPanel
Are passwords viewable in plain text?
I hope this only happens in the demo, but isn't it a really bad practice and a massive security vulnerability to store plain text passwords or to even be able to view them at all?
In the demo, I'm able to view the password for every mailbox, which made me very concerned. Please correct me if I'm wrong, but I believe passwords should be hashed and there should be no easy way to un-hash it. In other words, no one should be able to revert the hash back to plain text, not even the API server.
I haven't tried the self-hosted version yet, so I don't know if this is only the case with the demo showcase.
A quick glimpse at the source code tells me that you hash them with MD5, which could be good enough. But for improved security, I would personally use safer hashing algorithms such as Argon2id or scrypt as suggested by this OWASP article.
As you can see, we have provided the plaintext password on the console of BillionMail.
However, what we store in the database is an encrypted one. We don't use one - way encryption but two - way encryption. This is because we need to ensure that users can directly paste this login information to their target users, enabling them to log in to manage their accounts and send emails via Webmail or other means.
I see. But isn't that a security vulnerability or an attack vector?
If you have a way to extract the plain text version of the password, then anyone could. Even an attacker.
It certainly is convenient to have access to the plain text password, but that leaves the door wide open for anyone to steal it. Other email clients do not give you the password itself, but do allow you to change it anytime. That way you know the password is impossible to un-hash and if the user forgets it, they can just change it securely.
Just image one of your users reuses the same password everywhere (bad practice I know, but very common) and if someone is able to breach into BillionMail, they just stole their password and can use it anywhere.
Also, if there's a way to get the plain text version of the password, there's no point in hashing it.
The main purpose for hashing a password is so that it becomes undecipherable. There is no way to figure out the original string from the resulting hash. But if you do have a way to decipher it back into plain text, hashing has no benefit here in my opinion.
Still, I truly believe passwords must be hashed unless there's a very good reason not to. And even then, the plain text versions should never be exposed client-side. They should be encrypted and only the back-end should be able to decrypt and use them.
You're absolutely right to be concerned. Under normal circumstances, passwords should always be stored in fully encrypted form and never displayed in the UI. However, this situation is unique—SMTP clients require plaintext passwords for authentication, which means we need a method to securely share SMTP connection details so authorized users can log in and send emails.
We’ll carefully evaluate this issue moving forward. If you have a better solution, we’d welcome your contribution via a PR (Pull Request). Thank you for your attention to this matter!
(Note: "PR" refers to submitting code improvements through GitHub/GitLab's pull request system.)
Would you like me to refine any part of this further?
Got it! If SMTP requires it, then go ahead. And thank you for the clarification.
I'm not exactly a cybersecurity expert, but right now the only suggestion I have is maybe not showing the passwords on the front-end, since that would mean they are publicly accessible.
Storing them encrypted seems like the right way to go, but I would keep them on the server-side at all times to avoid exposing them to the internet.
That way, an attacker could only get their hands on the passwords by entering the server itself or exploiting a different backdoor/bug/vulnerability.