barrycarey Posted April 24, 2016 Share Posted April 24, 2016 Why is TCA able to pull user passwords (including admins) from the database in plain text? I'm a bit surprised there are no threads about this since it seems to be a glaring issue IMO. I haven't dug into it enough to see how it's being done but it seems to me that it's a rather large security issue. Link to comment Share on other sites More sharing options...
Dennis Posted April 24, 2016 Share Posted April 24, 2016 The passwords are hashed in the database. When TCAdmin wants to access the passwords, fx when sending a mail that contains the password, they're 'resolved'. Link to comment Share on other sites More sharing options...
barrycarey Posted May 7, 2016 Author Share Posted May 7, 2016 (edited) The passwords are hashed in the database. When TCAdmin wants to access the passwords, fx when sending a mail that contains the password, they're 'resolved'. Passwords should never be able to be 'resolved' back out of the database. They should be stored using a 1 way hash, ideally salted. If a user forgets the password it is reset, not sent in plain text. That's been considered basic password security for at least the last decade. Not even the site owner should be able to obtain the password once it's stored in the database. Edited May 7, 2016 by barrycarey Link to comment Share on other sites More sharing options...
Dennis Posted May 8, 2016 Share Posted May 8, 2016 Agreed, and a reset function has been suggested before. However, bare in mind that Version 2 is beta software. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now