Security issue - password sent in mail

[Norwegian_Rat]

Will the password-issue be taken care of in TB? There's quite a few posts regarding this subject in the PS-forum, and people are not happy with the PS solution, to put it mildly =)

[wakabayashi]

You can easily remove it from the template. But yeah, I hope it won't be included by default...

[Norwegian_Rat]

What do you mean, @wakabayashi ? You need to be able to reset your password somehow if you have forgotten it, but a control question or something would be nice to have, instead of clicking a link in your mail and getting another mail with the new password =)

[wakabayashi]

I thought you mean that the password is written after an account is created. I don't know if it's still like this, but it surely was...

I don't like security questions to be honest...

[Norwegian_Rat]

i don't like them either, but if it is needed to better secure clients, I really don't care. There might be better options. I'm no expert at all regarding this. I've just read that getting passwords in mails is preposterous, and thus being a dealbreaker for running a project on the platform.

[ajensen27]

If you're just going to remove the password from the emails, how will customers know what their reset passwords are? Since those are currently emailed to them (which is horrible).

[alwayspaws]

@mdekker said in Security issue - password sent in mail:

Due to backwards compatibility it is going to be limited to just removing the password from the email, I'm afraid.

https://github.com/thirtybees/ThirtyBees/issues/121

This is an acceptable compromise until the next version. It's terrible to be emailed your own password.

[lesley]

@ajensen27 this is only for the newly created account emails. Not for all the emails like the password reset emails.

[Siteboost]

Sorry for bumping an old thread, but as far as I can see, there is still a big unresolved issue here.

In the guesttocustomer.html email template the password tag has been replaced with asterisks (******), so how does the new user get his password? In the password.html email template the {passwd} tag is still there, giving the user the ability to see his password, but at the same time it poses a potential security risk.

I think a solution to this issue should be of high priority.

[lesley]

Good question. What flow would you recommend for converting like that?

[30knees]

What about a link to the store where they can set their own password?

[lesley]

Yeah, we will have to see if that is possible with the existing framework, I am not sure, it might be a breaking change with every template.

[Siteboost]

A link to set your own password would definitely be a nice feature, but one should be aware that this solution is only slightly safer compared to the current solution. If a user's e-mail account is hacked, the hacker will still be able to access the user's webshop account by simply requesting a new password in the store and then clicking the reset-password-link sent to the user.

As long as the shop doesn't store credit card information, I would say that a reset-password-link solution would be sufficient, but for shops that allow logged in users to complete purchases with a saved credit card, another layer of security (e.g. security questions) could be necessary.

[lesley]

I will see what we can get together for 1.0.5. I don't think we can do the security question. Although good practice, it would require core changes that would not be backwards compatible.

[annafjmorris]

I am looking forward to some progress hear and glad to see it's on the cards ?

[annafjmorris]

Some extra admin level security would be great, 2FA for store admins etc. Even the store administrator password is sent in the email after a password change at the moment, which is just unbelievable. It makes me very anxious about data protection.

[bzndk]

The best option here would be just to actually send out a link in the e-mail that reset and auto generate a password, that way there is no issue with new front-end additions :)

[smarterweb]

so for now the question is: how can we get the pw in emails back when converting a guest account to a real one (guesttocustomer.html email template)? right now they get an email with the pw showing as "*****" and they obviously can't log in, so it's pretty useless. what's the official statement here and is there a solution/commit for this on git? (couldn't find anything)

[annafjmorris]

Perhaps a one time login link might work, sounds like that would be an unrelated system so backwards compatibility could be maintained? Drupal does this and it seems to work well. Similar idea, a one time password. This all assumes that there is a way to actully change your password from with in the account after the one time login or password, I'm not actually sure that's the case.

[Smile]

Is there any news on this. I would like to have it working as this module. If a guest account needs a password they can also receive this link ofcourse. https://addons.prestashop.com/nl/veiligheid-toegang/29907-simple-password-reset.html

(maybe there is also news on guest accounts -> to customer accounts)