[prev in list] [next in list] [prev in thread] [next in thread]
List: vtigercrm-developers
Subject: [Vtigercrm-developers] hashed passwords in the customer portal
From: Alan Bell <alan.bell () libertus ! co ! uk>
Date: 2015-12-11 14:23:16
Message-ID: 566ADC54.3080507 () libertus ! co ! uk
[Download RAW message or body]
As it stands in Vtiger the customer portal doesn't store passwords in a
securely hashed form, they are just plain text strings and can be read
and re-sent easily.
This merge proposal I think works well as a first pass at storing the
passwords in an acceptable form
http://code.vtiger.com/vtiger/vtigercrm/merge_requests/13
it stores the blowfish hash of the password, but generally works as well
as it did before, if you turn on the portal for a person it sends them
an email with their password in plain text, but it stores the hash - the
emailed password is never stored. The "forgot password" routine
generates a new password and emails it out - it is impossible to
retrieve the original password. Ideally there should be a "click the
link" password reset process, but wanted to minimise the process changes
at this point.If anyone could review/test/improve the code then that
would be awesome, hopefully we can get it into 6.5.0.
Alan.
_______________________________________________
http://www.vtiger.com/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic