Password md5 instead of password in config file?

[MikeMac]

Currently nas4free saves web gui password as xlm tag, like
<password>nas4free</password>

It is not secure. Why do not save md5 hash instead? Alike
echo -n password | md5
5f4dcc3b5aa765d61d8327deb882cf99
Then save 5f4dcc3b5aa765d61d8327deb882cf99 to config file

Then user types password, nas4free should make md5 from one and compare with stored md5 hash.

May be no so high security, but very easy to inplement and no visible disadvantages.

[raulfg3]

+1

[alexey123]

As for me, no need md5.

[raulfg3]

Why not? Your 5 years old son can open your config.xlm file and see your password.

Or you publish config to recive help, and all people see your password.

[alexey123]

Why not? Your 5 years old son can open your config.xlm file and see your password.

Your 5 years old son is NAS4Free Guru?

Or you publish config to recive help, and all people see your password.

If you publish any info online, you must check private info before publish.
Why I not agree?
I have working server with many users. As admin I was create users with passwords and I not save passwords to another PC. I do not keep passwords on a piece of paper glued to the monitor also.
After 2-3 mounts I cannot remember all passwords, and If user have problem I need connect as user. For do this action I read config.xml.
In case md5 passwords I need store its on piece of paper

[MikeMac]

alexey123>For do this action I read config.xml.

Alexey, may be both scenarious are applicable.
That about corrected idea
1) Add radio button to System|General|Password. User will have possibility to choise between having password itself saved ti config, or just md5 hash
2) Default behaviour should be as per now - to save password itself to config.

[davidb]

i brought up a similar scenario to the developers a long time ago, right around the time that FN and N4F split (don't remember which team i asked). As i was new to N4F, i was playing around with the various settings, and decided to give active directory integration a go. After asking our IT manager to put in the domain admin password, i discovered that if i looked at the page html source i could read the password.

My proposed solution was instead of having a text box waiting for the password, to have a button that would open a window with one (or two, depending on if you wanted to have to retype the password) empty text field to input the password, and then save, and the old password would never be exposed.

The response i got was basically that if you have access to the webmin, you have access to the passwords. Also, because the config file saves all the passwords, all you would have to do is "save configuration" and you have them in cleartext anyways.