Author Topic: Passwords in arch_users stored in clear text  (Read 5507 times)

emilec

  • Newbie
  • *
  • Posts: 43
  • Karma: 4
    • View Profile
    • Email
Passwords in arch_users stored in clear text
« on: February 24, 2012, 16:38:45 »
I did send this off to your support as well and am not really satisfied with the response that because LDAP is supported and some people like to see passwords in the clear for recovery it's ok to store passwords in clear text in the database. It's never a good idea to do this and I am sure most of your customers are not using LDAP. Many people use the same password across systems so exposing their QueueMetrics passwords exposes their passwords on other systems. Often it's not even for the sysadmin to know what's peoples passwords are. All they need to be able to do is reset someones password.

I ask you to consider applying a hash to the password to at least make it a bit more challenging to crack. Password recovery could be done by replacing the hash with a blank value from MySQL CLI to login with no password or insert a hash value of a known password.

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Re: Passwords in arch_users stored in clear text
« Reply #1 on: March 13, 2012, 08:50:27 »
having encrypted passwords is basically  trivial from a technical p.o.v., but many of our users like the idea of seeing/editing passwords from the GUI. You know when you have hundreds of agents who may lock themselves out or things like that.

emilec

  • Newbie
  • *
  • Posts: 43
  • Karma: 4
    • View Profile
    • Email
Re: Passwords in arch_users stored in clear text
« Reply #2 on: March 14, 2012, 09:00:14 »
I maintain that the QM admin only needs to be able to reset user passwords and not be able to view them. Users being lax about security is not an excuse to not enforce it.

If you must then give them an option to knowingly turn encryption off, but don't let the the people who care about security suffer at the hands of the those that are ignorant about it.

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Re: Passwords in arch_users stored in clear text
« Reply #3 on: March 22, 2012, 11:45:45 »
We track this as issue #1613

emilec

  • Newbie
  • *
  • Posts: 43
  • Karma: 4
    • View Profile
    • Email
Re: Passwords in arch_users stored in clear text
« Reply #4 on: March 26, 2012, 12:37:57 »
Thanks!

itbiz2

  • Newbie
  • *
  • Posts: 3
  • Karma: 0
    • View Profile
    • Email
Re: Passwords in arch_users stored in clear text
« Reply #5 on: April 12, 2013, 17:57:07 »
I would also like to see passwords encrypted in the database and not shown on the user page. Additionally I would like to see the diagnostic page and license information to be hidden by default and a security key added so that the admin class can see it at all times.

QueueMetrics

  • Loway
  • Hero Member
  • *
  • Posts: 2999
  • Karma: 39
    • View Profile
    • QueueMetrics
Re: Passwords in arch_users stored in clear text
« Reply #6 on: April 17, 2013, 09:38:07 »
Thanks for posting.