[Vtigercrm-developers] hashed passwords in the customer portal
Alan Bell
alan.bell at libertus.co.uk
Fri Dec 11 14:23:16 GMT 2015
As it stands in Vtiger the customer portal doesn't store passwords in a
securely hashed form, they are just plain text strings and can be read
and re-sent easily.
This merge proposal I think works well as a first pass at storing the
passwords in an acceptable form
http://code.vtiger.com/vtiger/vtigercrm/merge_requests/13
it stores the blowfish hash of the password, but generally works as well
as it did before, if you turn on the portal for a person it sends them
an email with their password in plain text, but it stores the hash - the
emailed password is never stored. The "forgot password" routine
generates a new password and emails it out - it is impossible to
retrieve the original password. Ideally there should be a "click the
link" password reset process, but wanted to minimise the process changes
at this point.If anyone could review/test/improve the code then that
would be awesome, hopefully we can get it into 6.5.0.
Alan.
More information about the vtigercrm-developers
mailing list