Password Security
Page: 1
Recent posts in this topic
Pro
Hi all,
Just been looking at the activecollab database for my installation, and noticed that the "users" table stores passwords in plain text. Is this not a security issue? I have been led to believe that only encrypted passwords should be stored, i.e. and md5 hash of the password. I know that this makes retrieving the users password impossible but this can easily be overcome by reseting the users password if they have forgotten it.
Any thoughts?
Just been looking at the activecollab database for my installation, and noticed that the "users" table stores passwords in plain text. Is this not a security issue? I have been led to believe that only encrypted passwords should be stored, i.e. and md5 hash of the password. I know that this makes retrieving the users password impossible but this can easily be overcome by reseting the users password if they have forgotten it.
Any thoughts?
Paul Dixon
Staff
Ilija Studen
on Oct 17. 2007. 10:14 am
Decision to store password in plain text format was not related to Forgot password functionality. Passwords need to be accessible through the API so system needs to be able to read them. They are available only if you are accessing the system as administrator, people manager or the user itself.
activeCollab Team Member | Experiment: activeCollab on Twitter
Pro
Thanks Ilija,
I was more concerned with someone hacking/browsing the database and seeing a list of passwords. Could the API not use an encypted version?
I was more concerned with someone hacking/browsing the database and seeing a list of passwords. Could the API not use an encypted version?
Paul Dixon
Staff
Ilija Studen
on Oct 17. 2007. 10:34 am
If someone breaks in and gains access to your database you have more serious problems than that.
We'll see what we can do about password encryption in the future.
We'll see what we can do about password encryption in the future.
activeCollab Team Member | Experiment: activeCollab on Twitter
