Plain Text Passwords Really?

Things you'd like to see in phpList

Plain Text Passwords Really?

Postby bfisher » 4:25pm, Mon 27 Jun, 2011

I can't believe that this is still going on. I tried phplist 2.11.6 the other day. I still can't encrypt the password. Even the password field shows the password while you are typing it. What if someone cracks your database. Is there any way to hide password while typing it. Or any way to not show an admin's password when editing an admin. That is like security 101.
bfisher
phpList newbie
 
Posts: 1
Joined: 8:30pm, Fri 24 Jun, 2011

Re: Plain Text Passwords Really?

Postby Nicu » 11:22am, Mon 11 Jul, 2011

True, I have the same concern about the security. Storing text passwords is not a good practice. I hope this will change with the next version. I'll take a look at the code, maybe there's a relatively quick fix for this. If I manage to fix this feature I will post the changes in here.
Nicu
phpList newbie
 
Posts: 2
Joined: 11:15am, Mon 11 Jul, 2011

Re: Plain Text Passwords Really?

Postby Dragonrider » 12:01pm, Mon 11 Jul, 2011

You can always set the USEENCRYPTEDPASSWORD option in the config/config.php file I suppose
My sites:- http://wharfedalefestival.co.uk, http://ilkleygardeners.org.uk, http://emergencyaid.net, http://dragonrider.co.uk
Latest phpList version is now 3.0.12 (3 February 2015) and requires a minimum of MySQL 5.0 and PHP 5.3.x
Dragonrider
Moderator
 
Posts: 3460
Joined: 6:58am, Sun 02 Jul, 2006
Location: Ilkley, West Yorkshire, United Kingdom

Re: Plain Text Passwords Really?

Postby Nicu » 6:57pm, Mon 11 Jul, 2011

Then I suggest this as the default setting and it should be mentioned in the Security tips. You have to admit it's a bit strange that passwords are not encrypted by default. Sure, the users won't be able to retrieve their password but they should be able to reset it if they forget it.
Nicu
phpList newbie
 
Posts: 2
Joined: 11:15am, Mon 11 Jul, 2011

Re: Plain Text Passwords Really?

Postby benmoreassynt » 8:40pm, Thu 11 Aug, 2011

Asking to encrypt passwords does not affect the admin account - it's still plain text.

Also, the passwords on this forum are stored in plain text (as can be seen by the fact that they're emailed to you after sign up).

This sucks - if your PHPList install is hacked, or this forum is hacked, all passwords are accessible.
benmoreassynt
phpList newbie
 
Posts: 2
Joined: 8:38pm, Thu 11 Aug, 2011

Re: Plain Text Passwords Really?

Postby thomi » 7:52am, Fri 30 Sep, 2011

Hey

In config.php is a option to encrypt passwords:

Code: Select all
define("ENCRYPTPASSWORD",1);


but this does nothing... admin passwords are still unencrypted/plaintext in the database..

only user passwords (table phplist_user_user) are encrypted... the same should be work on admin passwords (table phplist_admin)

thomi
thomi
PL Nut
 
Posts: 23
Joined: 3:02pm, Tue 21 Sep, 2010

Re: Plain Text Passwords Really?

Postby diogenesthecynic » 4:42pm, Thu 10 Jan, 2013

diogenesthecynic
phpList newbie
 
Posts: 3
Joined: 4:58pm, Wed 09 Jan, 2013


Return to Feature Requests, Wish-list

Who is online

Users browsing this forum: No registered users and 1 guest