Prevent decryption of passwords for customers/mail users/...
At the moment, user/customer/... passwords are stored in the database in a way that they can still be decryted using the server's private key (see for instance http://serverfault.com/questions/425116/possible-to-get-cleartext-password). This is for instance used by the program mail_auth_view. Thus, once somebody knows the key and has access to the database, (s)he can decrypt all passwords.
I would like to prevent the ability of decrypting passwords at all. Since many people use the same passwords across different accounts, I'd like to prevent the risk that user passwords unintentionally could get revealed if somebody gets access to the server.
Thank for raising it. We have merged that other request in here for easy of tracking.
This is a duplicate request. See https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/7247271-prevent-decryption-of-passwords-for-customers-mail
I fully agree - All passwords should be stored using one-way cryptographic hash functions that cannot be decrypted.
Btw: This is the same feature request as https://plesk.uservoice.com/forums/184549-feature-suggestions/suggestions/10547529-storing-all-passwords-in-psa-database-in-undecrypt
storing all passwords in psa database in undecryptable one-way hash after recent 000Webhost hack