[prev in list] [next in list] [prev in thread] [next in thread] 

List:       vtigercrm-developers
Subject:    [Vtigercrm-developers] hashed passwords in the customer portal
From:       Alan Bell <alan.bell () libertus ! co ! uk>
Date:       2015-12-11 14:23:16
Message-ID: 566ADC54.3080507 () libertus ! co ! uk
[Download RAW message or body]

As it stands in Vtiger the customer portal doesn't store passwords in a 
securely hashed form, they are just plain text strings and can be read 
and re-sent easily.
This merge proposal I think works well as a first pass at storing the 
passwords in an acceptable form
http://code.vtiger.com/vtiger/vtigercrm/merge_requests/13

it stores the blowfish hash of the password, but generally works as well 
as it did before, if you turn on the portal for a person it sends them 
an email with their password in plain text, but it stores the hash - the 
emailed password is never stored. The "forgot password" routine 
generates a new password and emails it out - it is impossible to 
retrieve the original password. Ideally there should be a "click the 
link" password reset process, but wanted to minimise the process changes 
at this point.If anyone could review/test/improve the code then that 
would be awesome, hopefully we can get it into 6.5.0.

Alan.
_______________________________________________
http://www.vtiger.com/
[prev in list] [next in list] [prev in thread] [next in thread]