Vtiger CRM stores customer portal password in plain text.

it should store the hash of the password using the php crypt function http://php.net/manual/en/function.crypt.php the reset password function should then generate a new password and mail it out, or mail out a change password link.

Added suggestion label

I agree. This legacy has stayed up due to feature of resending of password when customer complained mail was not received when portal-access is granted.

Title changed from Customer portal stores passwords in plain text to Vtiger CRM stores customer portal password in plain text.

I re-phrased the title of the issue.

NOTE: This password is not accessible to any Vtiger CRM user.

I have encrypted passwords up and working in a customer deployment, I just need to pick out the relevant bits from the irrelevant stuff. As I have it, when a resend is needed, it emails out a brand new password that it hashes and discards, so the user gets an email with a new random password. This does mean that someone who knows a portal user email address can annoy them by resetting their password, but it isn't a terrible situation.

Thank you for the update.

Then it should reset directly but send an email with a link to reset the password. This way, all you can do, is annoy an user by sending him reset email through vTiger, without affecting his password.

yeah, you are quite right, my initial implementation was to just do minimal changes and stick with the existing process as much as possible, right now it emails you your plain text password, but as we don't have that any more so it does a reset, emailing a reset link means storing the reset token somewhere, and having new portal services for capturing clicks on the link with the reset token, and then allowing the reset process. We need to do that, for sure. This is step 1, the minimum viable solution, I need to test this branch properly then crack on with reset link stuff (patches welcome)

linking Merge Request !13 (closed)

is there anything else I need to do to progress this?

Let us review and update you once we merge this request.

Fix Pulled : 010dcbf6

Status changed to closed

I would rather have nothing at all than the MD5 hashing.

Status changed to reopened

@alanbell - thank you for the enlightenment. I dived deeper and pushed to crypt method of password encryption. Please review f050f126

ooh, now that looks really good, I will try it out later

@prasad @alanbell - Well, this still very incomplete.

1 - Create a customer and send portal access: no encrypted password is sent.

2 - Customer try to reset retrive password: result is *****

my original approach was to send the password in plain text and store encrypted, if you try to retrieve you password it would reset it and send in plain the new password and store the new one, which is a bit flawed, it means anyone can cause a password reset on someone else, but it doesn't require new portal methods to click a confirmation link, it works but has scope for improvement. Sending **** and not resetting it doesn't work.

@alanbell - you are right, I have noted http://code.vtiger.com/vtiger/vtigercrm/issues/231

mentioned in issue #555 (closed)

mentioned in issue #597 (closed)

Status changed to closed

mentioned in issue #1731 (closed)

mentioned in issue #1731 (closed)

mentioned in issue #1731 (closed)

mentioned in issue #1951 (closed)