summary: By default, mail account passwords stored in the Plesk database and Plesk backups are symmetrically encrypted. This makes it possible for an attacker who has gained access to a dump of the database or an unencrypted backup to access the mail accounts hosted on the compromised server.

To prevent this, you can enable hashing of mail account passwords in Plesk for Linux. Storing hashes instead of encrypted passwords is much more secure.

In this topic, you will learn how to enable hashing of mail account passwords in Plesk for Linux.

Overview

Symmetric encryption is an encryption method that involves encrypting and decrypting data using a single key. While efficient, this method is considered relatively outdated and unsafe. Gaining access to encrypted data (for example, a password) and the key used to encrypt it allows an attacker to decrypt the password and access the account the password secures.

In contrast, hashing involves using a special hash function to turn a piece of data (for example, a plaintext password) into an alphanumeric string called a hash, such that hashing the same password always results in the same hash.

When hashing is used, the entered password is hashed and compared to the corresponding hash stored in the Plesk database. If the hashes do not match, authentication fails. The advantage of this approach is that gaining access to a hash does not give an attacker a practical way to access the account.

Challenges and Limitations

Enabling mail password hashing comes with the following challenges and limitations:

  • Hashing is a one-way procedure. If the mail account owner forgets the password to their account that has been hashed, the password cannot be recovered, only reset.
  • At the moment, the SOGo webmail client does not support logging in with a hashed password.

Enabling Mail Password Hashing

To enable mail password hashing:

  1. Log in to Plesk.
  2. Go to Tools & Settings, and then click Security Policy (under «Security»).
  3. Under «Storing email passwords», select the «Hashing» radiobutton, and then click OK.

Mail password hashing is now enabled. The following changes take effect:

  • Passwords for newly created mail accounts will be hashed.
  • Symmetrically encrypted passwords for existing mail accounts will remain symmetrically encrypted.
  • The next time a symmetrically encrypted mail account password is changed in Plesk, the new password will be hashed.

You can revert to storing mail passwords in symmetrically encrypted form by following the steps above, but selecting the «Symmetric encryption» radiobutton during the last step. When you do, passwords for newly created mail accounts will be symmetrically encrypted, hashed passwords for existing mail accounts will remain hashed, and the next time a hashed mail account password is changed in Plesk, the new password will be symmetrically encrypted.