Forum OpenACS Development: Storing passwords in plain text

Request notifications

Posted by Malte Sussdorff on
A couple of my clients asked me why it is not possible to send the user the password he has in the system as a lot of other community sites are doing. I explained that for security reasons we do not store the password in plain text in the database and they argued, why bother if other sites don't. Furthermore a couple of times it happened that someone reset the password using the "forgot password" link so the user could not login again (until he checked his e-mail).

I would like to have a parameter in acs-subsite that allows support for plain text passwords. As for the implementation, this will require a TIP, but maybe you have already some ideas you want to share.

Posted by Sebastiano Pilla on
You've already explained to your clients that this is a bad idea, if they insist I would suggest to have them sign a document that limits your legal responsability in case of troubles.
Posted by vivian Aguilar on
Hello Malte,
Yes that is a problem specially when sometimes for some reason the mail server doesnt send email and you push forgot your password link, there is no way to go in again unless you ask to a SWA to update it again..
Maybe it would be good to have another field to store the plain password and send it by email when a user request it (when the parameter is turned on)..