Reversible Passwords

[SGNinja101]

So we just installed TCAdmin V2 and found out that all passwords are reversible.

Then we contacted the support and talked with Luis and he told us that it is by design.

 

Personally I think that it is a major design/security flaw and wanted a broader opinion on it.

[icekohl]

Please elaborate on 'reversible'.

[adamnp]

basically, storing passwords using reversible encryption is nearly the same as storing plain text vers of the passwords.

 

The system will store the passwords with a reversible encryption...Basically, allowing you to decrypt it....

 

Typically, the purpose of this would be to provide apps that use protocols that might require the user's password for auth purposes.

 

 

 

I guess you will be relying on customers utilizing secure passwords? We all know thats a joke though

 

....

 

I agree with the OP....I'm sure Luis can elaborate though on his reasoning.

Edited August 30, 2011 by adamnp

[Nisd]

Well we are more relying on our Admins having secure passwords, and as we all know people are really bad at reusing passwords.

[TheHeartSmasher]

Encrypting passwords is a dangerous thing to do in software. The safer and more secure route would be to use at least SHA-1 hashing with salting. Any reason to downgrade security by encrypting passwords instead of hashing them or using other authentication methods?

[ECF]

Luis reasoning is the security feature within TCAdmin that allows you to lock out logins from admins by IP address.

[LFA]

I will add an option to disable is in v2.