These forums are locked and archived, but all topics have been migrated to the new forum. You can search for this topic on the new forum: Search for How can I prevent Virtualmin from storing passwords in cleartext? on the new forum.
Web Hosting and Cloud Computing Control Panels
At the moment, there is no way to turn this off. Virtualmin keeps the original passwords for mailbox users so that it can re-encrypt them in different formats when needed - for example, if you enable MySQL, DAV or SVN access for a user, their password has to be re-hashed into the appropriate format for MySQL or Apache digest authentication files.
I suppose an option could be added to disable the storage of plain-text passwords, but for most users it would come at the expense of usability.
''
I am also concerned about the security risk around storing plain-text passwords.
How about asking for the user to enter a new password every time rehashing is needed when plain-text passwords are disabled? It would make it quite a hassle if you edit permissions often, but for me that's more than worth it to prevent the security risk.
What if I were to go in to the files in /etc/webmin and manually delete the passwords? What would happen? Obviously Virtualmin would fail to rehash passwords if I enabled new services, but I could change the password if I ever do that later.
Yes, you could do that. You would get an error if you tried to enable something like a MySQL login for a user though ..
''