[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [Dolibarr-dev] Forum send plaintext password on mail confirmation
|
From: |
Jean Traullé |
|
Subject: |
Re: [Dolibarr-dev] Forum send plaintext password on mail confirmation |
|
Date: |
Tue, 03 Sep 2019 18:01:13 +0000 |
Hello Km,
Thanks for reporting this.
The passwords are not stored in plaintext in the database but are salted and
hashed before being stored.
An email is however sent with the plain text password before being salted and
hashed to be stored in the database.
I agree with you that this is considered bad practice to send emails with
plaintext passwords (as email should be considered an insecure media).
We are in the process of transitioning to a new forum software (starting with
the French community forum).
My research for Discourse can be read at
https://wiki.dolibarr.org/index.php/User:Jtraulle/DiscourseMigration
Please, note that others users are considering others forum software.
But this should be fixed with that transition.
Jean
‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐
On Tuesday 3 September 2019 18:35, address@hidden <address@hidden> wrote:
> Hello
>
> As I don't know where post this trouble, I prefer use old solution and
> post a mail :)
>
> I've reopened an account on dolibarr.org/forum. On confirmation mail
> I've seen my account and my plaintext password.
>
> I see two troubles :
>
> - Password plaintext looks stored on dolibarr server
> - A mail is sent with a plaintext password.
>
> Is is possible to solve this situation. Looks critical to store and
> send plaintext password.
>
> Thanks a lot
>
> Km
>
>
> Dolibarr-dev mailing list
> address@hidden
> https://lists.nongnu.org/mailman/listinfo/dolibarr-dev