Norwegian_Rat Posted February 23, 2017 Share Posted February 23, 2017 Will the password-issue be taken care of in TB? There's quite a few posts regarding this subject in the PS-forum, and people are not happy with the PS solution, to put it mildly =) Link to comment Share on other sites More sharing options...
wakabayashi Posted February 23, 2017 Share Posted February 23, 2017 You can easily remove it from the template. But yeah, I hope it won't be included by default... Link to comment Share on other sites More sharing options...
Norwegian_Rat Posted February 23, 2017 Author Share Posted February 23, 2017 What do you mean, @wakabayashi ? You need to be able to reset your password somehow if you have forgotten it, but a control question or something would be nice to have, instead of clicking a link in your mail and getting another mail with the new password =) Link to comment Share on other sites More sharing options...
wakabayashi Posted February 23, 2017 Share Posted February 23, 2017 I thought you mean that the password is written after an account is created. I don't know if it's still like this, but it surely was... I don't like security questions to be honest... Link to comment Share on other sites More sharing options...
Norwegian_Rat Posted February 23, 2017 Author Share Posted February 23, 2017 i don't like them either, but if it is needed to better secure clients, I really don't care. There might be better options. I'm no expert at all regarding this. I've just read that getting passwords in mails is preposterous, and thus being a dealbreaker for running a project on the platform. Link to comment Share on other sites More sharing options...
ajensen27 Posted February 24, 2017 Share Posted February 24, 2017 If you're just going to remove the password from the emails, how will customers know what their reset passwords are? Since those are currently emailed to them (which is horrible). Link to comment Share on other sites More sharing options...
alwayspaws Posted February 24, 2017 Share Posted February 24, 2017 @mdekker said in Security issue - password sent in mail: Due to backwards compatibility it is going to be limited to just removing the password from the email, I'm afraid. https://github.com/thirtybees/ThirtyBees/issues/121 This is an acceptable compromise until the next version. It's terrible to be emailed your own password. Link to comment Share on other sites More sharing options...
lesley Posted February 24, 2017 Share Posted February 24, 2017 @ajensen27 this is only for the newly created account emails. Not for all the emails like the password reset emails. Link to comment Share on other sites More sharing options...
Siteboost Posted November 22, 2017 Share Posted November 22, 2017 Sorry for bumping an old thread, but as far as I can see, there is still a big unresolved issue here. In the guesttocustomer.html email template the password tag has been replaced with asterisks (******), so how does the new user get his password? In the password.html email template the {passwd} tag is still there, giving the user the ability to see his password, but at the same time it poses a potential security risk. I think a solution to this issue should be of high priority. Link to comment Share on other sites More sharing options...
lesley Posted November 22, 2017 Share Posted November 22, 2017 Good question. What flow would you recommend for converting like that? Link to comment Share on other sites More sharing options...
30knees Posted November 22, 2017 Share Posted November 22, 2017 What about a link to the store where they can set their own password? Link to comment Share on other sites More sharing options...
lesley Posted November 22, 2017 Share Posted November 22, 2017 Yeah, we will have to see if that is possible with the existing framework, I am not sure, it might be a breaking change with every template. Link to comment Share on other sites More sharing options...
Siteboost Posted November 23, 2017 Share Posted November 23, 2017 A link to set your own password would definitely be a nice feature, but one should be aware that this solution is only slightly safer compared to the current solution. If a user's e-mail account is hacked, the hacker will still be able to access the user's webshop account by simply requesting a new password in the store and then clicking the reset-password-link sent to the user. As long as the shop doesn't store credit card information, I would say that a reset-password-link solution would be sufficient, but for shops that allow logged in users to complete purchases with a saved credit card, another layer of security (e.g. security questions) could be necessary. Link to comment Share on other sites More sharing options...
lesley Posted November 23, 2017 Share Posted November 23, 2017 I will see what we can get together for 1.0.5. I don't think we can do the security question. Although good practice, it would require core changes that would not be backwards compatible. Link to comment Share on other sites More sharing options...
annafjmorris Posted January 2, 2018 Share Posted January 2, 2018 I am looking forward to some progress hear and glad to see it's on the cards ? Link to comment Share on other sites More sharing options...
annafjmorris Posted January 2, 2018 Share Posted January 2, 2018 Some extra admin level security would be great, 2FA for store admins etc. Even the store administrator password is sent in the email after a password change at the moment, which is just unbelievable. It makes me very anxious about data protection. Link to comment Share on other sites More sharing options...
bzndk Posted January 2, 2018 Share Posted January 2, 2018 The best option here would be just to actually send out a link in the e-mail that reset and auto generate a password, that way there is no issue with new front-end additions :) Link to comment Share on other sites More sharing options...
smarterweb Posted January 18, 2018 Share Posted January 18, 2018 so for now the question is: how can we get the pw in emails back when converting a guest account to a real one (guesttocustomer.html email template)? right now they get an email with the pw showing as "*****" and they obviously can't log in, so it's pretty useless. what's the official statement here and is there a solution/commit for this on git? (couldn't find anything) Link to comment Share on other sites More sharing options...
annafjmorris Posted January 18, 2018 Share Posted January 18, 2018 Perhaps a one time login link might work, sounds like that would be an unrelated system so backwards compatibility could be maintained? Drupal does this and it seems to work well. Similar idea, a one time password. This all assumes that there is a way to actully change your password from with in the account after the one time login or password, I'm not actually sure that's the case. Link to comment Share on other sites More sharing options...
Smile Posted October 22, 2018 Share Posted October 22, 2018 Is there any news on this. I would like to have it working as this module. If a guest account needs a password they can also receive this link ofcourse. https://addons.prestashop.com/nl/veiligheid-toegang/29907-simple-password-reset.html (maybe there is also news on guest accounts -> to customer accounts) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now