Announcement

Collapse
No announcement yet.

Email Password Strength not enforced by Webmail

Collapse
X
  • Filter
  • Time
  • Show
Clear All
new posts

  • Email Password Strength not enforced by Webmail

    Our InterWorx boxes have "Strong" passwords configured as a requirement. However, many of our users continued to make obviously weak passwords (pin numbers, dictionary words, etc). And of course many of those mailboxes get hacked.

    Tonight I noticed that RoundCube, and I suspect the other webmail clients provided by InterWorx, will permit any strength passwords. For example, I just set my own password to "1" and then proved it took by changing my password back but only after providing "1" as my current password. Almost none of our customers actually use the control panel to set their own email password, so we've been really operating under a false sense of password security all this time. :-/
    My small technology blog
    [translocator.ws]

    Stack Overlap - Web Hosting and Development
    [www.stackoverlap.com]

    Mealsite
    [www.mealsite.com]

  • #2
    Originally posted by jimp View Post
    Our InterWorx boxes have "Strong" passwords configured as a requirement. However, many of our users continued to make obviously weak passwords (pin numbers, dictionary words, etc). And of course many of those mailboxes get hacked.

    Tonight I noticed that RoundCube, and I suspect the other webmail clients provided by InterWorx, will permit any strength passwords. For example, I just set my own password to "1" and then proved it took by changing my password back but only after providing "1" as my current password. Almost none of our customers actually use the control panel to set their own email password, so we've been really operating under a false sense of password security all this time. :-/
    Hey jimp, I wasn't aware of this behavior. I'll see what we can do about it.
    Matt Parmelee
    Interworx Developer
    http://www.interworx.com/

    Comment


    • #3
      You really got to stop the hacking..i guess that's ultimately affecting everyone.

      Comment


      • #4
        Hi dragonmiller

        The issue raised by jimp was not as a result of hacking by them.

        It is a big weakness within the webmail/email services, and all 3 webmail services allow the same reset, apart from 1 which requires a minimum of 3 alphanumeric characters.

        I would hope this is addressed as a priority as in my experience, most users will always set an easy password, and therefore has a greater chance of been hacked by the bad people, and your systems then been used for sending spam, ddos of other mail services etc. and then there's the real headache of having to clean your ip when you've been blacklisted.

        I hope this makes more sense and also explain why it is so important to be corrected to maintain strong passwords.

        Many thanks

        John

        Comment


        • #5
          Got you John..sorry for that post..i was hoping if you could let it go.

          Comment


          • #6
            Hi dragonmiller

            Many thanks, but there's nothing to let go.

            I make mistakes myself and I hope someone would point them out to me.

            Many thanks

            John

            Comment


            • #7
              We setup our own install of roundcube. That way, we don't have password reset capabilities in the webmail, and we could also add an addon to enforce verification of email addresses for personas.

              In a default Roundcube install, anyone can add any email address to send as, without having to verify that you have access to the address.
              It also let's us continually update the client. And provide a login form directly on our site.

              Comment


              • #8
                Hi Evanion

                That sounds a lovely feature to have and I'd be interested to know how we set that up on our systems so we can introduce it, to secure our systems. If you don't mind, you could PM me or sorry if I am asking too much, and please ignore.

                If IW were to adopt it, it would make a great feature in your new theme.

                Many thanks

                John

                Comment


                • #9
                  We just setup a roundcube install with addons from myroundcube.
                  For the external login, we had to adapt the autologon addons in myroundcube. I will try and package the changes and send them your way. You will need to program some security precausions to avoid xss, and man-in-middle attacks (don't want to release that part of the code, for our internal security). But the code works.

                  A way to implement xss security, is to have a common mysql database with a table, that handles temporary token hashes with a timestamp. We discussed a solution like this when we did the implementation earlier. But decided on another solution. Perhaps it's something that we can improve together.

                  Roundcube is setup to use the domainname of the user to connect with the right mailserver. And I have been in the conf file to change the destination of the '/webmail' proxy. Letting all the customers access the webmail via '<domain>/webmail'

                  Comment


                  • #10
                    Hi Evanion

                    Many thanks, I'd appreciate it thank you.

                    I think there's always going to be issues with any implementation re security or vulnerabilities, and if I can help, please let me know, but as you know, it would always be a fluid battle for xss, mim and I totally understand over not releasing this code.

                    I will try this on our cluster test when it's ready and we have finished our initial tests.

                    Many thanks

                    John

                    Comment


                    • #11
                      Here are the files you asked for.
                      The autologon folder should be placed in your roundcube installs 'plugin' folder (there should already be a autologon folder there).

                      The version of autologon supplied in the packaged is customized, and should replace any pre existing files.
                      The HTML file contains the form.

                      Please update any 'yourdomain.com' with the address to your webmail.
                      The form and autologon script is configured to connect over SSL.

                      Here are the main.inc.php config:

                      Code:
                       
                      //$rcmail_config['default_host'] = 'ssl://%s';
                      $rcmail_config['default_host'] = '%s';
                      
                      // TCP port used for IMAP connections
                      //$rcmail_config['default_port'] = 993;
                      $rcmail_config['default_port'] = 143;
                      Attached Files
                      Last edited by Evanion; 10-10-2013, 07:29 AM.

                      Comment


                      • #12
                        Hi Evanion

                        Many thanks and sorry for late reply, it's been a long day.

                        I'll download this tommorow and test on our test cluster.

                        I hope you don't mind, but to anyone who also downloads this, please note Evanion warning over xss and mim warning. Use at your own risk and there is no support or acceptance of any liability whatsoever. If you don't understand the risk, please do not implement this on your systems.

                        I don't have a sword but if I did, it's yours

                        Many thanks once more

                        John

                        Comment


                        • #13
                          Right now the form posts directly to the auto logon script. I recommend moving it to a php function.

                          Comment

                          Working...
                          X