Forum send plaintext password on mail confirmation

Next Topic
 
classic Classic list List threaded Threaded
3 messages Options
Reply | Threaded
Open this post in threaded view
|

Forum send plaintext password on mail confirmation

cam.lafit@azerttyu.net
Hello

As I don't know where post this trouble, I prefer use old solution and
post a mail :)

I've reopened an account on dolibarr.org/forum. On confirmation mail
I've seen my account and my plaintext password.

I see two troubles :
* Password plaintext looks stored on dolibarr server
* A mail is sent with a plaintext password.


Is is possible to solve this situation. Looks critical to store and
send plaintext password.

Thanks a lot

Km

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
Reply | Threaded
Open this post in threaded view
|

Re: Forum send plaintext password on mail confirmation

Jean Traullé
Hello Km,

Thanks for reporting this.

The passwords are not stored in plaintext in the database but are salted and hashed before being stored.
An email is however sent with the plain text password before being salted and hashed to be stored in the database.

I agree with you that this is considered bad practice to send emails with plaintext passwords (as email should be considered an insecure media).

We are in the process of transitioning to a new forum software (starting with the French community forum).
My research for Discourse can be read at https://wiki.dolibarr.org/index.php/User:Jtraulle/DiscourseMigration

Please, note that others users are considering others forum software.

But this should be fixed with that transition.

Jean

‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday 3 September 2019 18:35, [hidden email] <[hidden email]> wrote:

> Hello
>
> As I don't know where post this trouble, I prefer use old solution and
> post a mail :)
>
> I've reopened an account on dolibarr.org/forum. On confirmation mail
> I've seen my account and my plaintext password.
>
> I see two troubles :
>
> -   Password plaintext looks stored on dolibarr server
> -   A mail is sent with a plaintext password.
>
>     Is is possible to solve this situation. Looks critical to store and
>     send plaintext password.
>
>     Thanks a lot
>
>     Km
>
>
> Dolibarr-dev mailing list
> [hidden email]
> https://lists.nongnu.org/mailman/listinfo/dolibarr-dev



_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev
Reply | Threaded
Open this post in threaded view
|

Re: Forum send plaintext password on mail confirmation

cam.lafit@azerttyu.net
Hello

Thanks for your reply. I'm reassured. Sounds better to have not
password stored in plaintext :)

To wait new forum system could be interesting to remove in template
confirmation mail password line.

Thanks a lot

Km

_______________________________________________
Dolibarr-dev mailing list
[hidden email]
https://lists.nongnu.org/mailman/listinfo/dolibarr-dev