Jump to content
thirty bees forum

Security issue - password sent in mail


Norwegian_Rat

Recommended Posts

i don't like them either, but if it is needed to better secure clients, I really don't care. There might be better options. I'm no expert at all regarding this. I've just read that getting passwords in mails is preposterous, and thus being a dealbreaker for running a project on the platform.

Link to comment
Share on other sites

  • 8 months later...

Sorry for bumping an old thread, but as far as I can see, there is still a big unresolved issue here.

In the guesttocustomer.html email template the password tag has been replaced with asterisks (******), so how does the new user get his password? In the password.html email template the {passwd} tag is still there, giving the user the ability to see his password, but at the same time it poses a potential security risk.

I think a solution to this issue should be of high priority.

Link to comment
Share on other sites

A link to set your own password would definitely be a nice feature, but one should be aware that this solution is only slightly safer compared to the current solution. If a user's e-mail account is hacked, the hacker will still be able to access the user's webshop account by simply requesting a new password in the store and then clicking the reset-password-link sent to the user.

As long as the shop doesn't store credit card information, I would say that a reset-password-link solution would be sufficient, but for shops that allow logged in users to complete purchases with a saved credit card, another layer of security (e.g. security questions) could be necessary.

Link to comment
Share on other sites

  • 1 month later...
  • 3 weeks later...

so for now the question is: how can we get the pw in emails back when converting a guest account to a real one (guesttocustomer.html email template)? right now they get an email with the pw showing as "*****" and they obviously can't log in, so it's pretty useless. what's the official statement here and is there a solution/commit for this on git? (couldn't find anything)

Link to comment
Share on other sites

Perhaps a one time login link might work, sounds like that would be an unrelated system so backwards compatibility could be maintained? Drupal does this and it seems to work well. Similar idea, a one time password. This all assumes that there is a way to actully change your password from with in the account after the one time login or password, I'm not actually sure that's the case.

Link to comment
Share on other sites

  • 9 months later...

Is there any news on this. I would like to have it working as this module. If a guest account needs a password they can also receive this link ofcourse. https://addons.prestashop.com/nl/veiligheid-toegang/29907-simple-password-reset.html

(maybe there is also news on guest accounts -> to customer accounts)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...